              <div align="right">
${TARGET="offline"}                <a href="${LDAP_SDK_HOME_URL}" style="font-size: 85%">LDAP SDK Home Page</a>
${TARGET="offline"}                <br>
                <a href="${BASE}index.${EXTENSION}" style="font-size: 85%">Product Information</a>
              </div>

              <h2>Release Notes</h2>

              <h3>Version 5.1.0</h3>

              <p>
                The following changes were made between the 5.0.1 and 5.1.0 releases:
              </p>

              <ul>
                <li>
                  Added a new SchemaValidator class and an accompanying validate-ldap-schema
                  command-line tool that can examine schema definitions in one or more LDIF files
                  to identify potential issues like unparseable definitions, elements with
                  references to other elements that aren't defined in the schema, invalid names or
                  OIDs, empty descriptions, and invalid object class inheritance.  The types of
                  validation to perform can be customized to allow the validator to be more strict
                  or lenient as desired.
                  <br><br>
                </li>

                <li>
                  Added an ldappasswordmodify tool that can be used to update passwords for users
                  in an LDAP directory server.  It supports changing passwords using the password
                  modify extended operation, a a regular LDAP modify operation, or an Active
                  Directory-specific modify operation.
                  <br><br>
                </li>

                <li>
                  Added an ldifsearch tool that can be used to find entries in one or more LDIF
                  files that match given sets of criteria.
                  <br><br>
                </li>

                <li>
                  Added an ldifmodify tool that can be used to apply add, delete, modify, and
                  modify DN updates read from a changes file to entries read from a source LDIF
                  file, writing the updated entries to a target LDIF file.
                  <br><br>
                </li>

                <li>
                  Added an ldif-diff tool that can be used to compare the contents of two LDIF
                  files.  The differences will be written as the set of LDIF add, delete, and
                  modify change records needed to convert the set of entries in the source LDIF
                  file into the set of entries contained in the target LDIF file.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to allow adding custom attributes to the
                  otherwise dynamically generated root DSE.  It was already possible to override
                  the root DSE entry with a static entry provided in the configuration, but that
                  would prevent certain state-maintaining attributes (for example,
                  firstChangeNumber and lastChangeNumber) from being accurately reflected.  It is
                  now possible to provide a set of custom attributes to include in the root DSE
                  while allowing the server to dynamically generate any other attributes that the
                  server normally maintains.  Note that if the server is configured with any
                  custom root DSE attribute that has the same name as an attribute that would
                  normally be dynamically generated, the custom attribute will take precedence
                  over the dynamically generated version.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server so that it can return entries with the
                  ldapSubEntry object class if the filter includes an "(objectClass=ldapSubEntry)"
                  component.  The server may also return entries without the ldapSubEntry object
                  class if the filter matches them.  For example, to return all entries that do
                  and do not contain the ldapSubEntry object class, you may now search with a
                  filter of "(|(objectClass=*)(objectClass=ldapSubEntry))".
                  <br><br>
                </li>

                <li>
                  Updated the command-line tool that may be used to launch an instance of the
                  in-memory directory server so that it will validate any schema definitions
                  provided via the --useSchemaFile argument and report error or warning messages
                  for any problems that it identifies with those definitions.  Note that other
                  than potentially displaying additional messages at startup, this will not
                  actually change the behavior of the server in any way.  It will still attempt
                  to use those schema definitions to the best of its ability, but it will now be
                  easier to detect problems that could affect their use whereas such issues had
                  previously been silently ignored.  These messages may be suppressed using the
                  new --doNotValidateSchemaDefinitions if they are not wanted.
                  <br><br>
                </li>

                <li>
                  Added support for the LDAP subentries request control as described in RFC 3672.
                  The LDAP SDK already provided support for the version of the LDAP subentries
                  request control described in draft-ietf-ldup-subentry, but these are different
                  controls with different OIDs and slightly different behaviors; the draft version
                  of the control will cause only matching entries with the ldapSubEntry object
                  class to be included in search results, while the RFC version of the control
                  includes a Boolean value indicating whether to only return entries with the
                  ldapSubEntry object class or to return both regular entries and subentries.
                  <br><br>
                </li>

                <li>
                  Deprecated the existing SubentriesRequestControl class (which implemented
                  support for the control described in draft-ietf-ldup-subentry) in favor of two
                  new classes, DraftLDUPSubentriesRequestControl and
                  RFC3672SubentriesRequestControl.  This will help avoid confusion and ambiguity
                  over which version of the control is to be used.  The deprecated class remains
                  a fully functional implementation of the draft specification and will be
                  retained for the purpose of backward compatibility, but all new uses should
                  choose either the DraftLDUPSubentriesRequestControl class or the
                  RFC3672SubentriesRequestControl class to make it clearer which version of the
                  control should be used.
                  <br><br>
                </li>

                <li>
                  Updated the ldapsearch command-line tool to include support for the RFC 3672
                  version of the subentries request control.  The existing --includeSubentries
                  argument is still supported for the purpose of backward compatibility, but the
                  public identifier for that argument is now --draftLDUPSubentries, and the
                  --includeSubentries identifier has been hidden.  A new --rfc3672Subentries
                  argument is available to indicate that the RFC version of the control should
                  be used, and this argument takes a value of either "true" (to indicate that
                  only subentries should be returned) or "false" (to indicate that both subentries
                  and regular entries should be returned).
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server with support for the RFC 3672 version of
                  the subentries request control.  It already provided support for the
                  draft-ietf-ldup-subentry version of the control.
                  <br><br>
                </li>

                <li>
                  Added a "values-only" output format for the ldapsearch command-line tool.  If
                  this output format is selected, only attribute values will be included in the
                  output, without output names, entry DNs, or blank lines between entries.  This
                  output format makes it easier to extract raw attribute values from a directory
                  server.
                  <br><br>
                </li>

                <li>
                  Added a "--requireMatch" argument to the ldapsearch command-line tool.  If this
                  argument is provided and the search operation completes successfully but does
                  not return any matching entries, then the tool will complete with an exit code
                  of 94 (noResultsReturned), rather than the usual exit code of 0 (success).
                  This argument only affects the tool exit code; it will not have any visible
                  effect on the output.
                  <br><br>
                </li>

                <li>
                  Updated the round-robin and fewest connections server sets to expose the
                  blacklist manager.  Clients may use this to obtain information about servers
                  that are temporarily considered unavailable.
                  <br><br>
                </li>

                <li>
                  Improved the logic that the LDAP SDK uses when selecting ordering and substring
                  matching rules for the case in which the attribute type is defined in a schema
                  that is available to the LDAP SDK, but the attribute type definition does not
                  specify the ordering or substring rule to use for that attribute.  In such
                  cases, the LDAP SDK would previously try to determine an appropriate default
                  based on the attribute syntax, and failing that, just use a default rule with
                  case-insensitive matching.  It will may now try to select a more appropriate
                  ordering or substring rule based on the equality matching rule for the attribute
                  type before checking the syntax.  This can help provide more expected behavior
                  for an attribute type with an equality matching rule that the LDAP SDK supports
                  but is not the default rule for its associated syntax.
                  <br><br>
                </li>

                <li>
                  Added a new TopologyRegistryTrustManager class that can read the configuration
                  file for a Ping Identity Directory Server instance to obtain information about
                  certificates for that instance and other instances in the topology.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP command-line tool framework so that if it detects that the tool
                  is running as part of a Ping Identity Directory Server installation, and if no
                  trust-related arguments are provided for that tool, then it will include the
                  server's default trust store and topology registry in the set of sources that
                  that it will consider (which already included the JVM-default trust manager)
                  before resorting to interactively prompting the user about whether to trust the
                  presented certificate chain.  In most cases, this will allow these tools to
                  trust the local instance, and other instances in the same topology, for secure
                  communication without the need for providing trust-related arguments on the
                  command line.
                  <br><br>
                </li>

                <li>
                  Streamlined and improved the behavior that LDAP command-line tools exhibit when
                  run in interactive mode.  The interactive process will now prefer secure
                  communication over unencrypted connections, with LDAPS preferred over LDAP with
                  StartTLS.  It will no longer prompt for trust-related arguments by default,
                  automatically trusting certificates signed by an issuer in the JVM's default
                  trust store or falling back to interactive confirmation, although it is still
                  possible to specify an alternate trust configuration if desired.  It will now
                  prefer LDAP simple authentication over unauthenticated connections, and it will
                  no longer ask you to confirm the bind password (although it will allow you to
                  re-enter settings if it can't authenticate with the given password).  Finally,
                  if the tool is part of a Ping Identity Directory Server installation, it will
                  now select the default port and communication security type based on options
                  defined in the server configuration, and it can automatically trust certificates
                  that the server considers trusted.
                  <br><br>
                </li>

                <li>
                  Made several improvements to the summarize-access-log tool, which may be used to
                  analyze and provide a summary of the contents of Ping Identity, UnboundID, or
                  Nokia/Alcatel-Lucent 8661 server access logs.  You can now customize the maximum
                  number of values to display for each item (the tool previously used a hard-coded
                  limit of 20 values), and it will now tell you how many values were omitted.  You
                  can also choose to de-anonymize the output to obtain more specific values,
                  whereas filters and DNs were previously always generified by replacing attribute
                  values with question marks.  The summary will now also include information about
                  the most common TLS protocols and cipher suites, the most common successful and
                  failed bind DNs, the most common alternate authorization DNs, the most common
                  authentication mechanisms, the most common filters used for unindexed searches,
                  the most common base DNs for searches with non-base scopes, the filters used for
                  the searches taking the longest to complete, and the most common filters for
                  searches returning zero, one, and multiple entries.  Finally, when summarizing
                  the most commonly invoked types of extended operations, the tool will now try to
                  provide a human-readable name for the extended operation in addition to its OID.
                  <br><br>
                </li>

                <li>
                  Added client-side support for password policy state information from the
                  ds-pwp-state-json virtual attribute that may be generated by the Ping Identity
                  Directory Server.
                  <br><br>
                </li>

                <li>
                  Added client-side support for a new populate composed attribute values task for
                  use in conjunction with the Ping Identity Directory Server.
                  <br><br>
                </li>

                <li>
                  Added client-side support for a new generate server profile task for use in
                  conjunction with the Ping Identity Directory Server.
                  <br><br>
                </li>

                <li>
                  Added an OID.parseNumericOID method that can be used to parse a provided string
                  as a valid numeric object identifier, optionally performing strict validation.
                  If the provided string is not a valid numeric OID, this method will throw an
                  exception that provides the reason the string is considered invalid.  While the
                  LDAP SDK previously made it possible to determine whether a given string
                  represented a valid numeric OID, that method only returned a boolean value and
                  did not provide a way to obtain the reason it was invalid.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK to provide more useful error messages for problems that may
                  arise while parsing schema definitions.  While the previous error messages
                  specified what the problem was, the updated message will make it easier to
                  pinpoint the problem in the schema definition by including the name of the
                  component in which the problem was identified.  For example, if an attribute
                  type definition contained an empty description, the previous error message would
                  simply say that the element was invalid because it contained an empty quoted
                  string, but it will now say that it was in the value for the DESC element.
                  <br><br>
                </li>

                <li>
                  Updated the code used to parse schema elements to allow the DESC component to be
                  an empty string.  While empty quoted strings are not allowed in schema elements
                  as per RFC 4512 section 4.1, some servers permit the DESC element to violate
                  this restriction, and it may therefore be necessary to parse schema elements
                  with empty descriptions.  Empty descriptions are still not allowed by default,
                  but this can be now overridden with a code change or by setting a system
                  property.
                  <br><br>
                </li>

                <li>
                  Added an IA5 string argument value validator that can be used to ensure that
                  values for associated arguments are only allowed to contain ASCII characters
                  (that is, characters from the IA5 character set).  It may optionally be
                  configured to accept or reject empty strings.
                  <br><br>
                </li>

                <li>
                  Updated the manage-certificates tool to improve the validation that it performs
                  for DNS names and email addresses provided for use in the subject alternative
                  name or issue alternative name extensions.  These fields are declared with an
                  IA5 string syntax, which means that their values are only allowed to contain
                  ASCII characters.  Previously, attempts to use a value with a non-ASCII
                  character would fail with an internal error when attempting to create the
                  extension.  The tool will now report a more user-friendly error message.
                  <br><br>
                </li>

                <li>
                  Added StaticUtils methods that can be used to determine if a provided string is
                  comprised only of ASCII characters, or only of printable ASCII characters.  The
                  LDAP SDK already provided variants of these methods that operated on byte
                  arrays, but it now also offers versions that work for strings.
                  <br><br>
                </li>

                <li>
                  Added StaticUtils methods for encoding and decoding timestamps in the ISO 8601
                  format described in RFC 3339.
                  <br><br>
                </li>

                <li>
                  Fixed an issue with StaticUtils.isASCIIString(String) in which it could fail to
                  properly identify all non-ASCII characters because it only looked at the lower
                  byte for each character.
                  <br><br>
                </li>

                <li>
                  Added new ByteStringBuffer utility methods, including convenience methods for
                  getting individual bytes or sets of bytes at a specified position, for
                  determining whether the buffer starts with or ends with a given set of bytes,
                  and for reading the contents of a file or input stream into the buffer.
                  <br><br>
                </li>

                <li>
                  Added new StaticUtils utility methods for reading and writing files as bytes,
                  strings, or lists of lines.
                  <br><br>
                </li>

                <li>
                  Added new password policy state account usability warning and notice types for
                  use in conjunction with the Ping Identity Directory Server to indicate that the
                  user's account has too many outstanding failed authentication attempts, but that
                  the user will not actually be prevented from authenticating as a result of their
                  password policy configuration.
                  <br><br>
                </li>

                <li>
                  Updated the support for the version monitor entry in the Ping Identity Directory
                  Server to provide a getRevisionID method that can be used to retrieve a string
                  that identifies the source revision from which the server was built.  The former
                  getRevisionNumber method has been deprecated, as the server may not have been
                  checked out from a version control system that uses numeric revision IDs.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in debug logging that could prevent a debug message including an
                  exception with an underlying cause from being parsed as a valid JSON object.
                  <br><br>
                </li>

                <li>
                  Updated command-line tools so that if the --help-sasl argument is used in
                  conjunction with a --saslOption argument that provides a "mech" option that
                  specifies a mechanism name, then only the options for that mechanism will be
                  displayed.  If no mechanism is specified, or if the specified mechanism is not
                  recognized, then information will be displayed for all available mechanisms.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in the command-line tool framework that could arise when setting
                  the value of a usage argument through a properties file.  In some cases, the
                  tool could exit with an error if the usage argument was set through a properties
                  file even though it would have succeeded if that same argument had been provided
                  directly on the command line.
                  <br><br>
                </li>

                <li>
                  Updated the default standard schema provided with the LDAP SDK to include
                  additional attribute syntaxes, matching rules, attribute types, and object
                  classes.
                  <br><br>
                </li>

                <li>
                  Updated the documentation to include draft-ietf-kitten-gss-sanon,
                  draft-ietf-kitten-password-storage, and draft-melnikov-scram-sha-512 in the set
                  of LDAP-related specifications.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 5.0.1</h3>

              <p>
                The following changes were made between the 5.0.0 and 5.0.1 releases:
              </p>

              <ul>
                <li>
                  Added an LDAP connection logger API that can be used to keep a record of
                  processing performed by the LDAP SDK, including successful and failed connection
                  attempts, operation requests and responses (including search result entries,
                  search result references, and intermediate responses), and disconnects.  The
                  LDAP SDK includes a logger capable of formatting these messages as JSON objects,
                  but the API is extensible, so custom implementations may be created to use
                  alternate formats if desired.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that prevented the collect-support-data tool from running
                  properly in local mode when using a secure connection.
                  <br><br>
                </li>

                <li>
                  Updated LDAP command-line tools to allow "--host" or "--address" as an
                  alternative to "--hostname" as the name of the argument used to specify the
                  address of the target server.
                  <br><br>
                </li>

                <li>
                  Applied minor updates to the usage output for several command-line tools to
                  improve wording and fix typos.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 5.0.0</h3>

              <p>
                The following changes were made between the 4.0.14 and 5.0.0 releases:
              </p>

              <ul>
                <li>
                  As of the 5.0.0 release, the UnboundID LDAP SDK for Java is available under the
                  terms of the Apache License, Version 2.0.  This is a very permissive
                  OSI-approved open source license that should be suitable for just about any use
                  case.  We recommend choosing this license for all new users of the LDAP SDK, but
                  it remains available under the terms of the former GPLv2, LGPLv2.1, and
                  UnboundID LDAP SDK Free Use License options.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that could interfere with GSSAPI authentication in cases where
                  a JAAS login module configuration was loaded and cached by the JVM before all
                  the appropriate system properties had been set for the login attempt.  The
                  configuration is now refreshed before attempting to create the login context
                  so that the system property changes will be applied.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK's support for defining the properties needed to create LDAP
                  connections or connection pools in a JSON file to add an option to use the
                  JVM-default trust store.  It may be used either on its own or in conjunction
                  with a trust store file.
                  <br><br>
                </li>

                <li>
                  Updated the key store key manager to provide support for validating that the
                  provided key store can actually be used.  If enabled and no alias is provided,
                  this validation will ensure that the key store contains at least one private key
                  entry in which all certificates in the chain are currently within their validity
                  window.  If an alias is provided, then that alias must reference a private key
                  entry in which all certificates in the chain are within their validity window.
                  The LDAP command-line tool framework has been updated so that validation will be
                  performed if the keyStorePath argument is provided.
                  <br><br>
                </li>

                <li>
                  Updated the trust store trust manager to remove unnecessary synchronization and
                  improve concurrency.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that could cause the LDAP debugger request handler (used used by
                  the ldap-debugger tool and by the in-memory directory server's LDAP debug
                  logging) to hold messages in an internal buffer rather than make them
                  immediately available.  In some cases, this could significantly delay the
                  appearance of the messages or prevent them from appearing at all (if there
                  weren't enough messages generated to fill the buffer).
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK's support for parsing information in the Ping Identity
                  Directory Server's general monitor entry to include support for the clusterName,
                  locationName, locationDN, and serverUUID attributes.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that prevented the LDAP SDK from properly decoding 384-bit
                  elliptic curve public keys in X.509 certificates.  This did not affect the
                  LDAP SDK's ability to use such certificates for TLS communication, but it
                  did prevent the manage-certificates tool from displaying detailed information
                  about the key when listing a certificate.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that could prevent the LDAP SDK from properly decoding an X.509
                  certificate extension that made use of a general names element with a
                  directoryName component.  This did not affect the LDAP SDK's ability to use
                  certificates containing such extensions for TLS communication, but it did
                  prevent the manage-certificates tool from displaying detailed information
                  about the extension when listing a certificate.
                  <br><br>
                </li>

                <li>
                  Added a JSON access log request handler that can be used with the LDAP listener
                  framework to record JSON-formatted information about the operations that have
                  been processed.  The in-memory directory server has been updated to make it
                  easy to use this request handler.
                  <br><br>
                </li>

                <li>
                  Updated the debugging framework to format debug messages as JSON objects.
                  <br><br>
                </li>

                <li>
                  Added client-side support for an extended operation that may be used to invoke
                  the collect-support-data utility in the Ping Identity Directory Server and
                  stream the resulting output and support data archive back to the client through
                  intermediate response messages.
                  <br><br>
                </li>

                <li>
                  Added client-side support for an administrative task that may be used to invoke
                  the collect-support-data utility in the Ping Identity Directory Server.
                  <br><br>
                </li>

                <li>
                  Added a new collect-support-data command-line tool that can be used to obtain a
                  range of useful information about an instance of the Ping Identity Directory
                  Server (or related product, like the Directory Proxy Server, Synchronization
                  Server, or Data Governance Server) that can help support personnel troubleshoot
                  problems or better understand the server configuration and the environment in
                  which it is running.  All of the data collection logic is actually provided by
                  server-side code, but the tool is included in the LDAP SDK so that it can be
                  invoked from a client system that does not have a full server installation.
                  <br><br>
                </li>

                <li>
                  Updated the Version class to add methods that can be used to obtain LDAP SDK
                  version information.  The version information could previously only be obtained
                  by directly referencing the public static final constant values that the Version
                  class exposes, but referencing those constant values from an external class
                  could cause the Java compiler to compile those hard-coded values directly into
                  that external class.  If the LDAP SDK library was replaced with a new version
                  without recompiling the source code, the compiled-in constant values could no
                  longer accurately reflect the version of the LDAP SDK being used.  Obtaining
                  LDAP SDK version information using the new method calls rather than the
                  constants can help avoid this problem.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.14</h3>

              <p>
                The following changes were made between the 4.0.13 and 4.0.14 releases:
              </p>

              <ul>
                <li>
                  Fixed an issue in which LDAP URLs with consecutive percent-encoded bytes were
                  not decoded correctly.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that could cause the LDAP SDK to incorrectly handle data read
                  from a server when the communication is protected with SASL integrity or
                  confidentiality.Thanks to Boris Danilovich for reporting this problem and
                  identifying the cause.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that prevented the searchrate tool from running if neither a base
                  DN pattern nor an LDAP URL pattern was provided.
                  <br><br>
                </li>

                <li>
                  Improved the logic that the LDAP SDK uses when choosing the cipher suites to
                  offer when establishing a TLS-secured connection.  Weaker suites are disabled,
                  and the enabled suites are prioritized so that those offering forward secrecy
                  and the strongest encryption are preferred.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>FullLDAPInterface</tt> interface that extends
                  <tt>LDAPInterface</tt> and adds support for <tt>close</tt>, <tt>bind</tt>, and
                  <tt>processExtendedOperation</tt> methods.  The existing
                  <tt>LDAPConnection</tt>, <tt>AbstractConnectionPool</tt>, and
                  <tt>InMemoryDirectoryServer</tt> classes have been updated to implement this
                  interface rather than its <tt>LDAPInterface</tt> superclass.
                  <br><br>
                </li>

                <li>
                  Added a new non-final <tt>MockableLDAPConnection</tt> class that makes it easier
                  to mock an <tt>LDAPConnection</tt> instance.  It implements
                  <tt>FullLDAPInterface</tt> and wraps a provided <tt>LDAPConnection</tt> instance.
                  If you create a <tt>MockableLDAPConnection</tt> subclass, then you may override
                  any of the <tt>FullLDAPInterface</tt> methods to implement your own behavior.
                  Any non-overridden methods will simply invoke the corresponding method on the
                  provided <tt>LDAPConnection</tt> instance.
                  <br><br>
                </li>

                <li>
                  Fixed a minor typo in the <tt>ldapsearch</tt> usage information.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.13</h3>

              <p>
                The following changes were made between the 4.0.12 and 4.0.13 releases:
              </p>

              <ul>
                <li>
                  Added connection pool debugging support.  The debugging covers checking out,
                  releasing, establishing, and closing connections for use in the pool, as well as
                  closing the pool itself.
                  <br><br>
                </li>

                <li>
                  Updated the passphrase-encrypted output stream to provide an option to override
                  the default key factory iteration count (16,384 rounds when using the baseline
                  encryption strength and 131,027 rounds when using the strong encryption option).
                  <br><br>
                </li>

                <li>
                  Updated support for the exec task to make it possible to specify the path to the
                  working directory to use when executing the command.  Previously, the server
                  would always use the instance root directory as the working directory, and that
                  will still be the default if no working directory is specified.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in the prompt trust manager that could cause it to display an
                  incorrect warning for some certificates with a basic constraints extension with
                  a path length constraint.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in the encoding and decoding of X.509 certificates that
                  included an authority key extension that included the optional
                  authorityCertIssuer element.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in manage-certificates when displaying verbose information about
                  a certificate that included the key usage extension.  It failed to properly
                  indicate when the key agreement flag was set in the extension.
                  <br><br>
                </li>

                <li>
                  Updated the manage-certificates check-certificate-usability command to add an
                  additional check to see whether the certificate at the root of the chain is
                  found in the JVM's set of trusted issuer certificates.  If the CA certificate
                  is not found in the JVM's default trust store, a notice will be displayed, but
                  the tool will still complete with a success result.
                  <br><br>
                </li>

                <li>
                  Made the <tt>ManageCertificates.readCertificatesFromFile</tt> method public so
                  that it can be used outside of the LDAP SDK.  This method can be used to read a
                  set of PEM-encoded or DER-encoded X.509 certificates from a specified file.
                  <br><br>
                </li>

                <li>
                  Made the <tt>ManageCertificates.readCertificateSigningRequestFromFile</tt>
                  method public so that it can be used outside of the LDAP SDK.  This method can
                  be used to read a PEM-encoded or DER-encoded PKCS #10 certificate signing
                  request from a file.
                  <br><br>
                </li>

                <li>
                  Added an additional <tt>StaticUtils.getEnvironmentVariable</tt> method that
                  allows you to provide a default value that should be used if the requested
                  environment variable is not set.
                  <br><br>
                </li>

                <li>
                  Updated <tt>StaticUtils</tt> to add a <tt>getStackTrace</tt> method variant that
                  allows you to limit the number of stack trace frames to include from code before
                  the call into the LDAP SDK.  Also updated the
                  <tt>StaticUtils.getExceptionMessage</tt> behavior for a
                  <tt>NullPointerException</tt> so that it now shows all frames from the LDAP SDK
                  (and anything that the LDAP SDK calls), and up to three frames from code before
                  the call into the LDAP SDK.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.12</h3>

              <p>
                The following changes were made between the 4.0.11 and 4.0.12 releases:
              </p>

              <ul>
                <li>
                  Fixed an issue that could cause the write timeout handler (used to ensure that
                  connections are terminated if a write attempt is blocked for longer than the
                  maximum allowed length of time) to leave a thread running after all connections
                  had been closed.  The timeout handler had previously used a single timer that is
                  shared by all connections for the life of the JVM.  It will now share a timer
                  across all connections that are established concurrently, but the timer instance
                  will be destroyed when the last active connection is closed.  If a new
                  connection is established after the timer has been destroyed, a new timer will
                  be created, and that timer may be shared by any other connections created after
                  that as long as at least one connection remains active.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that could cause the LDAP SDK to leak a write timeout timer task if
                  it is unable to establish successfully establish a connection.
                  <br><br>
                </li>

                <li>
                  Fixed an issue with the JVM-default trust manager that could arise if the
                  certificate chain presented during TLS negotiation was not a complete chain, and
                  in which the last certificate in the chain is not in the JVM's list of trusted
                  issuers.  If the last certificate in the chain is not self-signed and not found
                  in the set of trusted issuers, the trust manager will now check to see if that
                  certificate has an authority key identifier extension, and if so, whether any of
                  the trusted issuers has a subject key identifier extension with a matching key
                  ID.  If so, and if that trusted issuer signed the last certificate in the
                  provided chain, then the chain will be trusted.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in the code for parsing schema element definitions in which an
                  attempt to parse a malformed schema definition could incorrectly result in an
                  LDAPException with an INVALID_DN_SYNTAX result code instead of the more
                  appropriate INVALID_ATTRIBUTE_SYNTAX result code.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in the persistence framework logic used to create LDAP attributes
                  from Java objects.  While it was intended to select an appropriate matching rule
                  from the corresponding Java data type, this code was only used when generating
                  attribute type definitions to be added to the server schema, and the attribute
                  objects created by the persistence framework always used a default matching rule
                  intended for case-insensitive strings.  The created attributes now use a
                  matching rule selected from the corresponding Java data type.
                  <br><br>
                </li>

                <li>
                  Updated manage-certificates to use the SHA-1 digest algorithm instead of 256-bit
                  SHA-2 when generating the subject key identifier for certificates and
                  certificate signing requests.  It appears that the Microsoft CA cannot handle
                  256-bit subject key identifiers, and therefore could not sign the CSRs with
                  256-bit subject key identifiers that manage-certificates had generated.
                  <br><br>
                </li>

                <li>
                  Added client-side support for the SCRAM-SHA-1, SCRAM-SHA-256, and SCRAM-SHA-512
                  SASL mechanisms.
                  <br><br>
                </li>

                <li>
                  Added client-side support for the generate password request and response
                  controls, which may be used in an add operation to have the server generate a
                  password for the new entry.  Support for this control will be included in an
                  upcoming version of the Ping Identity Directory Server.
                  <br><br>
                </li>

                <li>
                  Added client-side support for the generate password extended request and
                  response, which may be used to request that the server generate one or more
                  passwords that may be suggested to an end user when creating or updating
                  an entry.  Support for this extended operation will be included in an upcoming
                  version of the Ping Identity Directory Server.
                  <br><br>
                </li>

                <li>
                  Updated the ldapmodify command-line tool to provide an option to include the
                  generate password request control in add requests, and to display information
                  from a corresponding generate password response control if it is present in the
                  add result.
                  <br><br>
                </li>

                <li>
                  Updated the transform-ldif tool to add options for excluding LDIF records by
                  change type, and for excluding LDIF records that do not have a change type (and
                  are therefore considered entries).
                  <br><br>
                </li>

                <li>
                  Added a <tt>CommandLineTool.requestToolArgumentsInteractively</tt> method that
                  can be used to override the LDAP SDK's default interactive mode processing for a
                  tool.  If a tool supports interactive mode and overrides this method, then the
                  processing performed by that method will be used to obtain the command-line
                  arguments that should be used to actually run the tool.
                  <br><br>
                </li>

                <li>
                  Added <tt>ArgumentParser.addMutuallyDependentArgumentSet</tt> methods that can
                  be used to define a set of arguments that are mutually dependent such that if
                  any of the arguments is provided, then all of them must be provided.
                  <br><br>
                </li>

                <li>
                  Added <tt>StaticUtils.linesToString</tt> convenience methods that can convert a
                  list or array of strings to a single string that includes line breaks (using the
                  platform-appropriate end-of-line sequence) after each line.
                  <br><br>
                </li>

                <li>
                  Updated the command-line tool interactive mode processor so that when it prompts
                  for a password, PIN, or other sensitive argument that does not get echoed to the
                  terminal, it will now prompt to confirm the value to help ensure that the user
                  entered it correctly.
                  <br><br>
                </li>

                <li>
                  Updated the command-line tool's interactive mode processor to change the
                  behavior that it exhibits when displaying what will be invoked.  Previously, it
                  only displayed a list of the arguments to be provided to the tool.  It will now
                  include the name of the command, and it will end all but the last line with a
                  backslash as an indicator that the command continues onto the next line.  This
                  makes it easier to copy and past the command without needing to edit it (or it
                  at least reduces the amount of editing required).
                  <br><br>
                </li>

                <li>
                  Improved the error message that would be returned by the argument parser when
                  the value provided for a string or Boolean argument was not included in the set
                  of allowed values for that argument.  It would previously just tell you that the
                  provided value was not allowed.  It will now also provide a list of the allowed
                  values.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in the search-and-mod-rate tool in which the search duration
                  times reported included not only the time required to process the search, but
                  also the time required to process the associated modify operations as well.  If
                  rate limiting was used, then the search duration would also include the wait
                  before each modify attempt.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in the manage-certificates tool in which the usage information
                  for the --key-size-bits argument to the generate-self-signed-certificate
                  subcommand inadvertently used the description for the --key-algorithm argument.
                  <br><br>
                </li>

                <li>
                  Added <tt>StaticUtils</tt> methods to obtain all addresses associated with all
                  interfaces on the local system, and to get the canonical host names associated
                  with addresses, but only if they can be resolved (that is, excluding those that
                  just resolve to the IP addresses).
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.11</h3>

              <p>
                The following changes were made between the 4.0.10 and 4.0.11 releases:
              </p>

              <ul>
                <li>
                  Improved the LDAP SDK's protection against socket write attempts that block for
                  an indefinite length of time.  This is only likely to occur when sending a large
                  number of asynchronous requests over a connection, and only in the case that the
                  server stops reading requests from the client, or if a networking problem
                  prevents the request from reaching the server and prevents the client from
                  receiving any information about that failure.
                  <br><br>
                </li>

                <li>
                  Added <tt>InMemoryDirectoryServer.applyChangesFromLDIF</tt> methods that can be
                  used to read LDIF change records and apply them to data in the server.  The
                  changes will be applied atomically, and if any of the changes cannot be applied
                  successfully, then the server data will remain unchanged.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>SubtreeDeleter</tt> utility class that can make it easier to
                  delete a specified subtree, optionally including or excluding the base entry for
                  that subtree.  It provides a good client-side alternative to the subtree delete
                  request control, which isn't supported by all servers, and can sometimes be
                  problematic in servers that do support it.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to improve the diagnostic message that is
                  returned when it rejects an add attempt because the provided entry is not within
                  any of the configured base DNs.
                  <br><br>
                </li>

                <li>
                  Improved the exception message that is generated if a failure occurs while
                  trying to create a TLS-based connection.  If the JVM supports creating an
                  unconnected SSLSocket and then connecting it after the fact (which makes it
                  possible to specify a connect timeout), and that connection attempt failed (for
                  example, because the client did not trust the certificate presented by the
                  server), the LDAP SDK could think that the connection was still established.
                  Subsequent attempts to use the connection would fail, but the failure message
                  would not accurately reflect the true cause of the problem.
                  <br><br>
                </li>

                <li>
                  Updated the ldapsearch and ldapmodify command-line tools to use an unlimited
                  response timeout, which will prevent the tool from giving up on an operation if
                  it takes the server a long time to return any kind of response.  Previously,
                  the tools used the LDAP SDK's default timeout of 5 minutes for searches and 30
                  seconds for add, delete, modify, and modify DN operations.
                  <br><br>
                </li>

                <li>
                  Updated the ldapmodify command-line tool to add a
                  <tt>--clientSideSubtreeDelete</tt> argument that can be used to cause each
                  delete operation to be converted to a client-side subtree delete operation, in
                  which the tool will search for entries to delete and then delete them
                  individually.  This makes it easier to delete entries with subordinates on
                  servers that either do not support the subtree delete request control, or in
                  which the client may not have permission to use that control.
                  <br><br>
                </li>

                <li>
                  Updated the searchrate utility to allow specifying the base DN, scope, filter,
                  and requested attributes using LDAP URLs rather than individual attribute values
                  (note that any addresses and ports in the URLs will be ignored; the --hostname
                  and --port arguments will still be used to identify which servers to use).  The
                  LDAP URL can be a fixed URL or it can be a value pattern (including the ability
                  to include variable content in the URLs, or to load URLs from a file).  Using
                  LDAP URLs allows for more precise control over the combination of base DN,
                  scope, filter, and requested attributes on a per-request basis.
                  <br><br>
                </li>

                <li>
                  Updated the round-robin and fewest connections server sets to improve
                  concurrency.  In previous implementations, these sets could only create one
                  connection at a time, which could limit the rate at which connection pools
                  using them could establish new connections.  This is no longer the case, and
                  any number of threads will be able to create connections in parallel using the
                  server sets.  This change also updated the ServerSet API to make it possible
                  for a server set to be notified whenever a connection created with that set has
                  been closed.
                  <br><br>
                </li>

                <li>
                  Updated the round-robin and fewest connections server sets so that they can
                  temporarily blacklist a server that was found to be offline.  If an attempt to
                  create a connection to a server fails, or if that connection is found to be
                  unacceptable for some reason (e.g., it does not pass the associated health
                  check), subsequent connection attempts will avoid that server until a background
                  thread determines that it is available again.  Blacklisted servers will still be
                  tried as a last resort if it is not possible to get an acceptable connection to
                  a non-blacklisted server.  These server sets now use the blacklist by default,
                  but that can be disabled programmatically through the constructor or by setting
                  a system property before creating the server set.
                  <br><br>
                </li>

                <li>
                  Added a new indent-ldap-filter command-line tool that can help make it easier to
                  visualize complex filters with a lot of components, and especially a lot of
                  nesting.  If possible, it can also try to simplify the filter (for example, to
                  remove unnecessary levels of nesting, like an AND inside an AND).
                  <br><br>
                </li>

                <li>
                  Added an ldapdelete command-line tool that can be used to delete entries from an
                  LDAP directory server.  The DNs of the entries to delete can be provided on the
                  command line, read from a file, or read from standard input.  Alternately, the
                  server can search for and delete all entries matching one or more filters.  It
                  offers a number of options, including support for client-side and server-side
                  subtree deletes, rate limiting, and a variety of standard and proprietary
                  controls.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPCommandLineTool</tt> API to add an option to expose an
                  <tt>--enableSSLDebugging</tt> argument.  If this argument is available, and if
                  it is provided in the set of command-line arguments when the tool is run, then
                  the JVM's SSL/TLS debugging support will be enabled by setting the
                  "<tt>javax.net.debug</tt>" property to "<tt>all</tt>", and the JVM will write a
                  large amount of TLS-related debugging information to standard error.  This can
                  help troubleshoot problems with or provide detailed information about any TLS
                  communication that the tool attempts.
                  <br><br>
                </li>

                <li>
                  Fixed an issue in generating the normalized representation of a multivalued RDN
                  when one or more of those components referenced an attribute type by its OID or
                  a name other than the first of its names.  The normalized string representation
                  would have simply used an all-lowercase representation of the provided attribute
                  name rather than an all-lowercase representation of the primary name.  Also
                  updated the logic used to determine whether an RDN has a specified name or
                  name-value pair to handle the use of alternate names, and exposed the
                  <tt>RDN.getNameValuePairs</tt> method to make it easier to work with an RDN's
                  name-value pairs.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the <tt>ByteStringBuffer.append(CharSequence,int,int)</tt> method
                  in which the final integer argument could be interpreted as the number of
                  characters to append rather than the end position at which to stop appending,
                  which could yield incorrect results when the method was called with a nonzero
                  start position.  Also, updated the ByteStringBuffer.append methods that take
                  CharSequence arguments to eliminate the creation of an intermediate character
                  array, thereby improving performance and reducing garbage creation.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK to add protection against JVM security managers that may
                  prevent calls to certain methods, like attempts to interact with system
                  properties, environment variables, or logger levels.
                  <br><br>
                </li>

                <li>
                  Updated the password reader so that it will generate a more user-friendly error
                  message if it is run in a context when no console is available.  A tool could
                  encounter this error if its output has been redirected, or if it's not running
                  in an interactive shell (for example, in a cron job or system startup script).
                  <br><br>
                </li>

                <li>
                  Dramatically improved the performance of the streamfile value pattern, which
                  operates like the sequentialfile value pattern in that it can iterate through
                  values in a file in sequential order, except that streamfile doesn't need to
                  hold the whole file in memory whereas sequentialfile does.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>Filter.simplifyFilter</tt> method to simplify an AND filter
                  containing an LDAP false filter (an OR filter with zero components, which will
                  never match anything) to just that LDAP false filter, and to simplify an OR
                  filter containing an LDAP true filter (an AND filter with zero components, which
                  will match any entry) to just that LDAP true filter.
                  <br><br>
                </li>

                <li>
                  Added a <tt>PasswordValidationDetailsResponseControl.get(LDAPException)</tt>
                  method that makes it more convenient to get the response control from an
                  unsuccessful operation.
                  <br><br>
                </li>

                <li>
                  Enabled concurrent socket factory use for all versions of Java.  In the past,
                  we have observed that at least some IBM JVMs had a thread safety issue with
                  SSL socket factory implementations, so we only allowed a socket factory to be
                  used concurrently by multiple threads on a whitelisted set of JVMs.  We no
                  longer believe that the IBM JDK socket factory thread safety is an issue, and
                  there are now many more JVM vendors (e.g., Apple, Azul, Amazon Coretto,
                  AdoptOpenJDK, and potentially Red Hat), so concurrent socket factory use will
                  be enabled by default.  If an issue is found ona particular JVM, then concurrent
                  access can be disabled programmatically or with a system property.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK's command-line tool framework to fix an issue with the
                  tool's validation for required, exclusive, and dependent argument sets.  If an
                  argument was configured with a default value, then that value could have been
                  mistakenly treated as if it had been explicitly provided by the user.  This
                  could cause problems for arguments that are part of an exclusive argument set
                  (in which only one of the arguments in that set may be provided) or a dependent
                  argument set (in which an argument can only be used if at least one of a
                  specified set of additional arguments is present).  In such cases, the tool
                  could not have been used in interactive mode.  The <tt>modrate</tt> tool was
                  affected by this issue.
                  <br><br>
                </li>

                <li>
                  Updated the argument parser to fix a problem with the way that it handles
                  backslash characters in argument properties files.  It previously only correctly
                  handled backslashes if they were at the end of a line to indicate that the
                  content continued on to the next line, or if they were followed by the letter
                  'u' and the hexadecimal representation of the desired Unicode character.  It did
                  not handle a backslash in front of other characters used to force that character
                  to be treated as a literal (for example, a backslash followed by an equal sign
                  should be treated as just the equal sign, but was instead being treated as a
                  backslash followed by an equal sign).
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK build process to automatically generate documentation for
                  all of the command-line tools included with the SDK.  Usages are provided in
                  both plain text and HTML, and the HTML documentation is linked from the main
                  documentation index page.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.10</h3>

              <p>
                The following changes were made between the 4.0.9 and 4.0.10 releases:
              </p>

              <ul>
                <li>
                  Fixed a bug in generating the normalized representation of an RDN with multiple
                  values that have the same attribute type (for example, "cn=foo+cn=bar").  In
                  such cases, the normalized representation of that RDN would have incorrectly had
                  only one value with that attribute type, and any other values with that same
                  attribute type would have been omitted.  Further, because the normalized string
                  representation of an RDN is used for other purposes (like determining equality
                  and comparator ordering), this may fix other related issues as well.
                  <br><br>
                </li>

                <li>
                  Added additional methods for improved DN and RDN validation that make it
                  possible to require attribute names to strictly comply with the specification.
                  Previously, the methods for creating and validating DNs and RDNs from strings
                  were always lenient with what they would allow in attribute names because some
                  servers are lenient.  That leniency is still the default for the sake of
                  backward compatibility, but there is now an option to require strict compliance
                  with the specification.
                  <br><br>
                </li>

                <li>
                  Improved support for TLSv1.3 in JVMs that support it (Java 11 and later).  The
                  LDAP SDK will now automatically enable support for TLSv1.3 if it is available,
                  and will prefer that protocol if the server also supports it, but can still
                  transparently fall back to an earlier protocol version (TLSv1.2, TLSv1.1, or
                  TLSv1, whichever is the highest version that the server supports) if the server
                  does not support it.  As before, the default and enabled set of TLS protocols
                  can be overridden programmatically by calling methods in the
                  <tt>com.unboundid.util.ssl.SSLUtil</tt> class, or by setting the
                  <tt>com.unboundid.util.SSLUtil.defaultSSLProtocol</tt> and
                  <tt>com.unboundid.util.SSLUtil.enabledSSLProtocols</tt> system properties when
                  launching the JVM.
                  <br><br>
                </li>

                <li>
                  Updated the process for establishing a secure connection to immediately start
                  the TLS handshake on the socket, rather than waiting for it to happen on the
                  first attempt to communicate over the connection.  This can help ensure that the
                  connection is ready to use more quickly, and can help avoid timing issues in
                  certain cases where the prompt trust manager is used in other interactive
                  applications that prompt for user input.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to reject search requests that include
                  filters with approximate-match or extensible-match components.  The LDAP SDK
                  does not support client-side evaluation for these filter types, but the
                  in-memory directory server would previously just not return any matching entries
                  in response to a search request using either of these filter types.  The new
                  behavior is more correct and makes it easier to troubleshoot unexpected behavior
                  for searches involving these filter types.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>in-memory-directory-server</tt> command-line tool to add
                  support for a number of new arguments, including
                  <tt>--generateSelfSignedCertificate</tt>, <tt>--maxConcurrentConnections</tt>,
                  <tt>--sizeLimit</tt>, <tt>--passwordAttribute</tt>,
                  <tt>--defaultPasswordEncoding</tt>, <tt>--allowedOperationType</tt>, and
                  <tt>--authenticationRequiredOperationType</tt>.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ldap-debugger</tt> tool to add a
                  <tt>--generateSelfSignedCertificate</tt> argument.  If the tool is configured
                  to listen using SSL, then this argument can be given as an alternative to the
                  <tt>--keyStorePath</tt> argument to indicate that the <tt>ldap-debugger</tt>
                  should generate its own self-signed certificate instead of using one provided
                  by the user.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ResultCode.isConnectionUsable</tt> methods so that
                  <tt>UNWILLING_TO_PERFORM</tt> is no longer included in the set of result codes
                  that will cause the LDAP SDK to suspect that the connection may no longer be
                  usable.  Although it's possible that the connection may have become invalid,
                  there are plenty of reasons that an LDAP server may return an
                  <tt>UNWILLING_TO_PERFORM</tt> response for a connection that remains completely
                  usable.  Since <tt>isConnectionUsable</tt> is often used to decide whether to
                  keep the existing connection or to throw it away and replace it with a new one,
                  being too prone to indicate that a connection is no longer usable can adversely
                  impact application performance and increase load on the directory server.
                  <br><br>
                </li>

                <li>
                  Added a new API that can be used to change the way that the LDAP SDK resolves
                  names to IP addresses, and IP addresses to names.  The default implementation
                  simply uses the JVM's standard name resolution methods, but a caching name
                  resolver is also provided that can offer better performance and better
                  resilience against name service outages.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>PasswordFileReader</tt> class that makes it easier to read a
                  password from a file.  The password files may optionally be gzip-compressed
                  and/or passphrase-encrypted, and the reader validates that the file contains
                  exactly one line and that the line is now non-empty.  All command-line tools
                  now have access to a password file reader, and LDAP SDK tools that can read
                  passwords from files have been updated to take advantage of this new reader.
                  <br><br>
                </li>

                <li>
                  Updated the command-line tool framework so that tools that support reading
                  argument values from properties files now handle files that are optionally
                  gzip-compressed and/or passphrase-encrypted.
                  <br><br>
                </li>

                <li>
                  Fixed a potential null pointer exception in <tt>ArgumentParser.toString</tt>
                  that could arise if the parser was created through serialization and there were
                  not any additional description paragraphs.  Also, eliminated an unnecessary
                  quotation mark in the generated string representation.
                  <br><br>
                </li>

                <li>
                  Updated the ldapsearch and ldapmodify tools to add support for the get backend
                  set ID and get server ID request controls (which can be used to obtain
                  information from a Ping Identity Directory Server or Directory Proxy Server
                  about which entry-balancing backend sets or which server instances were used in
                  processing the request), and for the route to backend set and route to server
                  request controls (which can be used to request that the Ping Identity Directory
                  Proxy Server route the request to a specific group of entry-balancing backend
                  sets or to a specific backend server).
                  <br><br>

                <li>
                  Updated LDAP command line tools to support authentication with the
                  UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.
                  <br><br>
                </li>

                <li>
                  Added <tt>StaticUtils</tt> convenience methods for creating maps and sets.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF writer to make its user-friendly display of base64-encoded
                  values more filter-friendly.  The LDIF writer has a feature that allows it to
                  automatically include a comment below a base64-encoded value that tries to
                  display a more human-readable version of that value.  In most cases, the value
                  in that comment could simply be copied and pasted into a search filter intended
                  to target that value, but some of the escaping wasn't very filter-friendly.  For
                  example, if the base64-encoded value included an ASCII tab, carriage return or
                  line feed character, it was previously escaped as "\t", "\r", or "\n",
                  respectively, but those escapes aren't valid in the string representation of an
                  LDAP filter.  Also, some characters that must be escaped in the string
                  representation of filters (like the open parenthesis, close parenthesis, and
                  asterisk) weren't being escaped.  The escaping has now been updated so that it
                  should be more suitable for copying into a search filter.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>UniquenessResponseControl</tt> class to add convenience methods
                  to help make it easier to interpret the response, and updated the
                  <tt>UniquenessRequestControl</tt> class to add an example to the class-level
                  Javadoc.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.9</h3>

              <p>
                The following changes were made between the 4.0.8 and 4.0.9 releases:
              </p>

              <ul>
                <li>
                  Updated the command-line tool framework to allow tools to have descriptions
                  that are comprised of multiple paragraphs.
                  <br><br>
                </li>

                <li>
                  Updated the support for passphrase-based encryption to work around and apparent
                  bug in the JVM support for some implementations of MAC algorithms.  It seems
                  that under certain rare circumstances, some versions of the JVM can compute an
                  incorrect MAC, which could lead to a failure in the passphrase-based encryption
                  code.  To account for this, the LDAP SDK now generates the MAC multiple times
                  and only uses the value if it is able to reliably produce a consistent result.
                  <br><br>
                </li>

                <li>
                  Updated all existing <tt>ArgumentValueValidator</tt> instances to implement the
                  <tt>Serializable</tt> interface to avoid errors when trying to serialize an
                  argument configured with one of those validators (or when trying to serialize an
                  argument parser with any such arguments).  The <tt>ArgumentValueValidator</tt>
                  abstract class itself has not been altered to maintain backward compatibility.
                  <br><br>
                </li>

                <li>
                  Updated code used to create <tt>HashSet</tt>, <tt>LinkedHashSet</tt>,
                  <tt>HashMap</tt>, <tt>LinkedHashMap</tt>, and <tt>ConcurrentHashMap</tt>
                  instances with an initial capacity to use a better algorithm for computing the
                  correct initial capacity based on the expected number of elements that the set
                  or map is expected to have.  The new algorithm takes the load factor into
                  account so that it is less likely that there will be a need to re-hash or
                  re-balance the set or map.  This should improve performance in such cases.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF change record API to make it possible to obtain a copy of a
                  change record with a provided set of controls.
                  <br><br>
                </li>

                <li>
                  Added additional methods for obtaining a normalized string representation of
                  JSON objects and value components with more control over case sensitivity of
                  field names and string values, and also over array order.
                  <br><br>
                </li>

                <li>
                  Improved support for running in an environment in which a security manager
                  prevents calls to setting system properties (which also prevents access to the
                  <tt>System.getProperties</tt> method because its return value is mutable).  It
                  is expected that <tt>System.getProperty</tt> can still be used to retrieve
                  individual property values.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.8</h3>

              <p>
                The following changes were made between the 4.0.7 and 4.0.8 releases:
              </p>

              <ul>
                <li>
                  Fixed an issue in the modrate tool in which if the <tt>--valuePattern</tt>
                  argument was not used to specify the desired value pattern, the pattern
                  generated by the tool would mistakenly result in a fixed string rather than one
                  that was randomized, causing all of the generated modifications to be the same.
                  <br><br>
                </li>

                <li>
                  Fixed an address caching bug in <tt>RoundRobinDNSServerSet</tt> in which an
                  inverted comparison caused the cache to be used for expired addresses instead of
                  non-expired addresses.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ldapmodify</tt> tool to remove the restriction preventing the
                  use of arbitrary controls with an LDAP transaction or the multi-update
                  operation.
                  <br><br>
                </li>

                <li>
                  Updated a number of locations in the code that caught <tt>Throwable</tt> to
                  re-throw the original <tt>Throwable</tt> instance (after performing appropriate
                  cleanup) if that <tt>Throwable</tt> instance was an <tt>Error</tt> or perhaps a
                  <tt>RuntimeException</tt>.
                  <br><br>
                </li>

                <li>
                  Added a number of convenience methods to the <tt>JSONObject</tt> class that make
                  it easier to get the value of a specified field as a string, Boolean, number,
                  object, array, or null.
                  <br><br>
                </li>

                <li>
                  Added a <tt>StaticUtils.toArray</tt> method that can be used to convert a
                  collection to an array in a generic manner.  Although this is usually not any
                  more convenient than calling <tt>Collection.toArray</tt>, it can be useful in
                  certain contexts where it isn't feasible to make more than one call (for
                  example, in a call to <tt>this</tt> or <tt>super</tt> in a constructor) or
                  when the type of collection element is not known at compile time.
                  <br><br>
                </li>

                <li>
                  Added support for parsing audit log messages generated by the Ping Identity
                  Directory Server version 7.1 and later, including support for generating
                  LDIF change records that can be used to revert changes recorded in the audit
                  log in a reversible form.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.7</h3>

              <p>
                The following changes were made between the 4.0.6 and 4.0.7 releases:
              </p>

              <ul>
                <li>
                  Fixed an issue in the LDAPConnectionPool and LDAPThreadLocalConnectionPool
                  classes when created with a connection that is already established and
                  authenticated (as opposed to being created from a server set and bind request).
                  Internally, the LDAP SDK created its own server set and bind request from the
                  provided connection's state information, but it incorrectly included bind
                  credentials in the server set.  Under most circumstances, this would merely
                  cause the LDAP SDK to send two bind requests (the second a duplicate of the
                  first) when establishing a new connection as part of the pool.  However, it
                  caused a bigger problem when using the new <tt>setBindRequest</tt> methods
                  that were introduced in the 4.0.6 release.  Because the server set was
                  created with bind credentials, the pool would create a connection that tried
                  to use those old credentials before sending a second bind request with the
                  new credentials, and this would fail if the old credentials were no longer
                  valid.
                  <br><br>
                </li>

                <li>
                  Fixed an issue with the behavior that the LDAP SDK exhibited when configured to
                  automatically follow referrals.  If the server returned a search result
                  reference that the LDAP SDK could not follow (for example, because none of the
                  URLs were valid, none of the servers could be reached, none of the searches
                  succeeded, in those servers, etc.), the LDAP SDK would assign a result code of
                  "referral" to the search operation, which would cause it to throw an exception
                  when the search completed (as is the case for most non-success result codes).
                  The LDAP SDK will no longer override the result code for the search operation,
                  but will instead use whatever result code the server returned in its search
                  result done message.  Any search result references that the LDAP SDK could not
                  automatically follow will be made available to the caller through the same
                  mechanism that would have been used if the SDK had not been configured to
                  automatically follow referrals (that is, either hand them off to a search result
                  listener or collect them in a list to include in the search result object).
                  The LDAP SDK was already making the unfollowable search result references
                  available in this manner, but the client probably wouldn't have gotten to the
                  point of looking for them because of the exception resulting from the overridden
                  operation result code.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPConnectionPoolHealthCheck.performPoolMaintenance</tt> method
                  that can be used to perform processing on the pool itself (rather than on any
                  individual connection) at regular intervals as specified by the connection
                  pool's health check interval.  This method will be invoked by the health check
                  thread after all other periodic health checking is performed.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>PruneUnneededConnectionsLDAPConnectionPoolHealthCheck</tt> class
                  that can be used to monitor the size of a connection pool over time, and if the
                  number of available (that is, not currently in use) connections is consistently
                  greater than a specified minimum for a given length of time, then the number of
                  connections in the pool can be reduced to that minimum.  This can be used to
                  automatically shrink the size of the pool during periods of reduced activity.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>Schema</tt> class to provide additional constructors and methods
                  that can be used to attempt to retrieve the schema without silently ignoring
                  errors about unparsable elements.  Previously, if a schema entry contained one
                  or more unparsable elements, they would be silently ignored.  It is now possible
                  to more easily obtain information about unparsable elements or to have the LDAP
                  SDK throw an exception if it encounters any unparsable elements.
                  <br><br>
                </li>

                <li>
                  Added <tt>createSubInitialFilter</tt>, <tt>createSubAnyFilter</tt>, and
                  <tt>createSubFinalFilter</tt> methods to the <tt>Filter</tt> class that are more
                  convenient to use than the existing <tt>createSubstringFilter</tt> methods for
                  substring filters that only have one type of component.
                  <br><br>
                </li>

                <li>
                  Updated the Entry.diff method when operating in reversible mode so that when
                  altering the values of an existing attribute, the delete modifications will be
                  ordered before the add modifications.  Previously, the adds came before the
                  deletes, but this could cause problems in some directory servers, especially
                  when the modifications are intended to change the case of a value in a
                  case-insensitive attribute (for example, the add could be ignored or rejected
                  because the value already exists in the entry, or the delete could end up
                  removing the value entirely).  Ordering the deletes before the adds should
                  provide much more reliable results.
                  <br><br>
                </li>

                <li>
                  Updated the modrate tool to add a new "--valuePattern" argument that can be used
                  to specify the pattern to use to generate new values.  This argument is an
                  alternative to the "--valueLength" and "--characterSet" arguments and allows for
                  more flexibility in the types of values that can be generated.
                  <br><br>
                </li>

                <li>
                  Updated the manage-account tool so that the arguments related to TOTP secrets
                  are marked sensitive.  This will ensure that the value is not displayed in the
                  clear in certain cases like interactive mode output or tool invocation logging.
                  <br><br>
                </li>

                <li>
                  Added a new "streamfile" value pattern component that operates like the existing
                  "sequentialfile" component except that it limits the amount of the file that is
                  read into memory at any given time, so it is more suitable for reading values
                  from very large files.
                  <br><br>
                </li>

                <li>
                  Added a new "timestamp" value pattern component that can be used to include
                  either the current time or a randomly selected time from a given range in a
                  variety of formats.
                  <br><br>
                </li>

                <li>
                  Added a new "uuid" value pattern component that can be used to include a
                  randomly generated universally unique identifier (UUID).
                  <br><br>
                </li>

                <li>
                  Added a new "random" value pattern component that can be used to include a
                  specified number of randomly selected characters from a given character set.
                  <br><br>
                </li>

                <li>
                  Added a <tt>StaticUtils.toUpperCase</tt> method to complement the existing
                  <tt>StaticUtils.toLowerCase</tt> method.
                  <br><br>
                </li>

                <li>
                  Added <tt>Validator.ensureNotNullOrEmpty</tt> methods that work for
                  collections, maps, arrays, and character sequences.
                  <br><br>
                </li>

                <li>
                  Added <tt>LDAPTestUtils</tt> methods that can be used to make assertions about
                  the diagnostic message of an LDAP result or an LDAP exception.
                  <br><br>
                </li>

                <li>
                  Added client-side support for a new exec task that can be used to invoke a
                  specified command in the Ping Identity Directory Server (subject to
                  security restrictions imposed by the server).
                  <br><br>
                </li>

                <li>
                  Added client-side support for a new file retention task that can be used to
                  examine files in a specified directory, identify files matching a given pattern,
                  and delete any of those files that do not match count-based, age-based, or
                  size-based criteria.
                  <br><br>
                </li>

                <li>
                  Added client-side support for a new delay task that can be used sleep for a
                  specified period of time, until the server work queue reports that all
                  worker threads are idle and there are no pending operations, or until a
                  given search or set of searches match at least one entry.  The delay task is
                  primarily intended to be used as a spacer between other tasks in a dependency
                  chain.
                  <br><br>
                </li>

                <li>
                  Updated support for the ignore NO-USER-MODIFICATION request control to make it
                  possible to set the criticality when creating an instance of the control.
                  Previously, new instances were always critical.
                  <br><br>
                </li>

                <li>
                  Updated the ldapmodify tool to include the ignore NO-USER-MODIFICATION request
                  control in both add and modify requests if the --ignoreNoUserModification
                  argument was provided.  Previously, that argument only caused the control to be
                  included in add requests.  Further, the control will now be marked non-critical
                  instead of critical.
                  <br><br>
                </li>

                <li>
                  Updated the task API to add support for a number of new properties, including
                  the email addresses of users to notify on task start and successful
                  completion (in addition to the existing properties specifying users to email
                  on error or on any type of completion), and flags indicating whether the
                  server should alert on task start, successful completion, or failure.
                  <br><br>
                </li>

                <li>
                  Updated the argument parser's properties file support so that it expects the
                  file to use the ISO 8859-1 encoding, and to support Unicode escape sequences
                  that are comprised of a backslash followed by the letter u and four hexadecimal
                  digits.
                  <br><br>
                </li>

                <li>
                  Updated the tool invocation logger to add a failsafe mechanism for preventing
                  passwords from being included in the log.  Although it will already redact the
                  values of any arguments that are declared sensitive, it will now also redact the
                  values of any arguments whose name suggests that their value is a password.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.6</h3>

              <p>
                The following changes were made between the 4.0.5 and 4.0.6 releases:
              </p>

              <ul>
                <li>
                  Fixed a number of issues with the way the LDAP SDK handled characters whose
                  UTF-8 representation requires more than two bytes (and therefore requires two
                  Java chars to represent a single character).  Issues related to these characters
                  were found in code for matching rules, RDNs (and therefore DNs), and filters.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the ldapsearch tool that could cause it to use an incorrect scope
                  when constructing search requests from LDAP URLs read from a file.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could prevent certain client-side state information from being
                  properly updated when processing a bind request using either the
                  <tt>LDAPConnection.processOperation</tt> or the
                  <tt>AbstractConnectionPool.processRequests</tt> methods.  This could cause the
                  LDAP SDK to incorrectly believe that a connection was not authenticated when it
                  actually was.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in schema handling that could arise if an object class definition
                  did not specify the object class type (STRUCTURAL, AUXILIARY, or ABSTRACT).
                  In some cases, the type could be incorrectly inherited from the superclass
                  rather than assuming the default type of STRUCTURAL.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>setBinRequest</tt> method to the <tt>LDAPConnectionPool</tt> and
                  <tt>LDAPThreadLocalConnectionPool</tt> classes.  This makes it possible to
                  change the credentials that will be used to authenticate newly created
                  connections, and for existing connections that are re-authenticated with either
                  the <tt>bindAndRevertAuthentication</tt> or the
                  <tt>releaseAndReAuthenticateConnection</tt> methods.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>setServerSet</tt> method to the <tt>LDAPConnectionPool</tt> and
                  <tt>LDAPThreadLocalConnectionPool</tt> classes.  This makes it possible to
                  change the way that the pool establishes new connections.
                  <br><br>
                </li>

                <li>
                  Added a <tt>LDAPRequest.setReferralConnector</tt> method that makes it possible
                  to set a custom referral connector on a per-request basis.  Also added a
                  <tt>RetainConnectExceptionReferralConnector</tt> class that makes it easier to
                  obtain the exception (if any) that was encountered on the last attempt to
                  establish a connection for the purpose of following a referral.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server so that it can better handle instances of
                  java.lang.Error (and its subclasses) that may be thrown in the course of
                  processing associated with a client connection.  These kinds of errors should not
                  happen under normal circumstances, but it is possible for third-party code (for
                  example, code associated with an InMemoryOperationInterceptor) to generate them,
                  and it is possible for the JVM to throw them in extraordinary circumstances like
                  out of memory error. In such cases, the thread responsible for processing
                  requests from that client would exit without returning a response for the
                  operation being processed and without closing the connection.
                  <br><br>
                </li>

                <li>
                  Updated manage-certificates to fix an incorrect interpretation of the path
                  length element of a basic constraints extension.  It was mistakenly
                  interpreted to mean the maximum number of certificates that are allowed in a
                  certificate chain containing that certificate, but it actually specifies the
                  maximum number of intermediate certificates that are allowed between that
                  issuer certificate and the subject certificate at the head of the chain.
                  <br><br>
                </li>

                <li>
                  Updated manage-certificates to add support for importing PEM-encoded RSA private
                  keys that are not wrapped in a PKCS #8 envelope (that is, from a file whose
                  header contains "BEGIN RSA PRIVATE KEY" instead of "BEGIN PRIVATE KEY").
                  Previously, it was only possible to import private keys using the PKCS #8
                  format.
                  <br><br>
                </li>

                <li>
                  Updated manage-certificates to add an
                  --allow-sha-1-signature-for-issuer-certificates argument to the
                  check-certificate-usability subcommand.  If this argument is provided, then the
                  tool will continue to call out issuer certificates with a certificate whose
                  signature is based on the weak SHA-1 message digest, but it will not cause the
                  tool to exit with an error just because of that issue.  This argument has no
                  effect for certificates that use a signature based on the extremely weak MD5
                  digest, and it also does not have any effect if the server certificate at the
                  head of the chain has a SHA-1-based signature.
                  <br><br>
                </li>

                <li>
                  Added client-side support for a new reload HTTP connection handler certificates
                  task that may be used in some Ping Identity server products to request that the
                  server dynamically reload the certificate key and trust stores used by all HTTP
                  connection handler instances that provide support for HTTPS.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.5</h3>

              <p>
                The following changes were made between the 4.0.4 and 4.0.5 releases:
              </p>

              <ul>
                <li>
                  Fixed a bug in simple bind request processing in which the LDAP SDK would only
                  reject a bind request that contains a DN but no password (subject to the
                  <tt>LDAPConnectionOptions.bindWithDNRequiresPassword()</tt> setting) when using
                  the default asynchronous mode, but not when configured to operate in synchronous
                  mode.  In applications that use a simple bind operation to authenticate users,
                  that do not ensure that the user provided a non-empty password, and that
                  communicate with a server that does not follow the RFC 4513 section 5.1.2
                  recommendation to reject binds with a DN but no password, this bug could have
                  allowed an attacker to impersonate any legitimate user by identifying themselves
                  as the desired user and leaving the password field empty.
                  (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000134">CVE-2018-1000134</a>).
                  <br><br>
                </li>

                <li>
                  Updated the command-line argument parser so that it will not assign a value from
                  a properties file to an argument if that argument is part of an exclusive
                  argument set and another argument in that set was provided on the command line.
                  <br><br>
                </li>

                <li>
                  Fixed a <tt>manage-certificates</tt> bug in which the validity start time and
                  validity duration values would be ignored when generating a self-signed
                  certificate intended to replace an existing certificate.  In that case, the tool
                  would have always used the current time as the start time and a duration of one
                  year.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>manage-certificates</tt> tool to change the primary name for the
                  existing <tt>--replace-existing-certificate</tt> argument in the
                  <tt>generate-certificate-signing-request</tt> subcommand to be
                  <tt>--use-existing-key-pair</tt>, and updated the usage information to make it
                  clearer that using this option will not cause the keystore to be updated.
                  The former <tt>--replace-existing-certificate</tt> identifier can still be used
                  and will behave in exactly the same way as before, so there is no change in
                  functionality.
                  <br><br>
                </li>

                <li>
                  Improved the usability of the <tt>ldap-debugger</tt> tool when using the
                  <tt>--listenUsingSSL</tt> argument by ensuring that the <tt>--keyStorePath</tt>
                  argument is also provided, along with one of the <tt>--keyStorePassword</tt>,
                  <tt>--keyStorePasswordFile</tt>, and <tt>--promptForKeyStorePassword</tt>
                  arguments.
                  <br><br>
                </li>

                <li>
                  Fixed a number of cases in which there was a mismatch between the arguments
                  provided to a message format string and the arguments expected by that format
                  string.  Unit tests have been added to help prevent this from recurring.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>PassphraseEncryptedOutputStream</tt> class that can be used to
                  write encrypted data with a key generated from a provided passphrase.  Also
                  added a new <tt>PassphraseEncryptedInputStream</tt> class that can be used to
                  read encrypted data written with the <tt>PassphraseEncryptedOutputStream</tt>
                  when provided with the correct passphrase.
                  <br><br>
                </li>

                <li>
                  Added new <tt>RateLimitedInputStream</tt> and <tt>RateLimitedOutputStream</tt>
                  classes that can be used to impose a maximum rate (in bytes per second) at which
                  data can be read from a wrapped input stream or written to a wrapped output
                  stream.
                  <br><br>
                </li>

                <li>
                  Added new <tt>CloseableLock</tt> and <tt>CloseableReadWriteLock</tt> classes
                  that provide the same basic functionality as Java's <tt>ReentrantLock</tt> and
                  <tt>ReentrantReadWriteLock</tt> classes, but that can also be used with Java's
                  try-with-resources facility.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>FixedBarrier.await(int)</tt> method that can be used to
                  request rate limiting for the specified number of occurrences, rather than just
                  a single occurrence.  This can be used to make it easier to impose rate limiting
                  in instances where the event that you're limiting doesn't fit into the
                  existing paradigm.  For example, it could be used to implement a rate-limited
                  output stream in which you want to be able to specify the number of bytes being
                  written at a time, instead of requiring a separate <tt>await()</tt> call for
                  each byte being written.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ldapsearch</tt>, <tt>ldapmodify</tt>, <tt>split-ldif</tt>,
                  <tt>transform-ldif</tt>, and <tt>validate-ldif</tt> tools to add support for
                  encrypted LDIF files.  The passphrase used to generate the encryption key can be
                  provided interactively or read from a file.
                  <br><br>
                </li>

                <li>
                  Added support for two new UnboundID/Ping-proprietary request controls that can
                  help clients prevent inadvertently requesting unindexed searches.  The reject
                  unindexed search request control can be used to indicate that the server should
                  reject a search request if it cannot be efficiently processed using server
                  indexes, even if the requester has the unindexed-search privilege.  The permit
                  unindexed search request control can be used to indicate that the server should
                  process the search request even if it is unindexed, as long as the requester has
                  the unindexed-search-with-control privilege.  The <tt>ldapsearch</tt> tool has
                  also been updated allow these controls to be included in the search requests
                  that it generates.
                  <br><br>
                </li>

                <li>
                  Added support for a new UnboundID/Ping-proprietary request control that can be
                  included in a search request to indicate that the client wishes to override an
                  internal limit that might otherwise be in effect for that operation.  The
                  <tt>ldapsearch</tt> tool has been updated to allow this control to be included
                  in the search requests that it generates.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>summarize-access-log</tt> tool to add support for encrypted log
                  files.  The passphrase used to generate the encryption key can be provided
                  interactively or read from a file.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.4</h3>

              <p>
                The following changes were made between the 4.0.3 and 4.0.4 releases:
              </p>

              <ul>
                <li>
                  Updated the way that the LDAP SDK generates exception messages to make them more
                  user-friendly.  They are now less likely to include stack traces, and they are
                  less likely to include repeated information like LDAP SDK build information and
                  information duplicated from an exception's cause.  Ideally, suppressing stack
                  trace information in exception messages will not significantly impact the
                  ability to troubleshoot problems, but stack traces remain available through the
                  LDAP SDK's debugging framework, and either or both the
                  <tt>com.unboundid.ldap.sdk.debug.includeStackTraceInExceptionMessages</tt> and
                  <tt>com.unboundid.ldap.sdk.debug.includeCauseInExceptionMessages</tt> system
                  properties can be set to "true" to cause the corresponding information to be
                  included in exception messages when applicable.
                  <br><br>
                </li>

                <li>
                  Fixed an issue that could cause multiple application threads to block in the
                  course of closing a connection pool.  When calling the connection pool's
                  <tt>close</tt> method, the health check thread will be shut down, and the
                  calling thread will block until it has actually stopped.  Once the health
                  check thread has stopped, then any idle connections in the pool will be closed.
                  Connections that are actively being used will not be directly affected by this
                  but will instead be closed when they are released back to the pool.  Previously,
                  if the health check thread had not yet been stopped (for example, if it's in
                  the middle of an expensive or stalled health check operation), then any thread
                  releasing a connection back to the pool that was in the shutdown process would
                  also be blocked until the health check thread had exited.  This is no longer the
                  case, and only the first thread to call a connection pool's <tt>close</tt>
                  method has the potential to block.
                  <br><br>
                </li>

                <li>
                  Updated the way that the LDAP SDK sends messages so that it is more resilient to
                  stalls in the TLS negotiation process.  Java's <tt>SSLSocket</tt> implementation
                  has the potential to block indefinitely until TLS negotiation has completed, and
                  the only way to break out of that stall is to use the <tt>SO_TIMEOUT</tt> socket
                  option.  This was primarily an issue for connections operating in
                  non-synchronous mode, as connections using synchronous mode already used the
                  <tt>SO_TIMEOUT</tt> option to enforce response timeouts.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK's <tt>ServerSet</tt> implementations so that they can
                  perform authentication and post-connect processing.  This can improve resiliency
                  against certain types of certain types of processing failures, and can allow
                  health checks against newly established connections to succeed in certain cases
                  in which they might have previously failed (for example, if the server is
                  configured to reject requests from unauthenticated clients).
                  <br><br>
                </li>

                <li>
                  Updated the <tt>GetEntryLDAPConnectionPoolHealthCheck</tt> class to provide
                  support for invoking the health check after a pooled connection has been
                  authenticated.  This will primarily be used when creating a new connection for
                  use in the connection pool, but it also applies to calls to the connection
                  pool's <tt>bindAndRevertAuthentication</tt> and
                  <tt>releaseAndReAuthenticateConnection</tt> methods.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the <tt>GetEntryLDAPConnectionPoolHealthCheck</tt> class that
                  caused it to behave incorrectly when checking the validity of a connection after
                  an <tt>LDAPException</tt>.  The intended behavior was to only perform a search
                  to retrieve the target entry if the exception's result code indicated that the
                  connection may no longer be valid.  Instead, it erroneously of always failing
                  the health check if the result code indicated that the connection may no longer
                  be valid, and always performing the search if the result code suggested that the
                  connection should still be valid.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>Attribute.hasValue</tt> method to be more efficient for
                  attributes with multiple values, and especially for attributes with a large
                  number of values and/or attributes with more complicated matching rules (like
                  attributes with a distinguished name or generalized time syntax).  This should
                  also provide a similar improvement for the <tt>Filter.matchesEntry</tt> method
                  for equality filters that target attributes with multiple values.
                  <br><br>
                </li>

                <li>
                  Updated the prompt trust manager (which can interactively prompt the user about
                  whether to trust a server certificate chain) to provide better output
                  formatting and more warnings about potential reasons that the presented
                  certificate chain might be considered non-trustworthy.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPConnectionOptions</tt> class to make a number of changes.
                  <ul>
                    <li>
                      The initial default connect timeout has been reduced from 60,000
                      milliseconds (one minute) to 10,000 milliseconds (10 seconds).  This timeout
                      only covers the length of time required to establish the TCP connection
                      between the client and the server, and does not include the time required to
                      perform any operations on that connection (for example, an initial bind
                      request to authenticate the connection), nor does it include the time
                      required to perform TLS negotiation if the connection is to be secure.  Ten
                      seconds should be more than enough time for this to happen even on the
                      slowest of network links, and a shorter timeout can help reduce the
                      appearance of unresponsiveness if there is no response to the connection
                      attempts.  This initial connection timeout can still be overridden using the
                      <tt>LDAPConnectionOptions.setConnectTimeoutMillis</tt> method.
                    </li>
                    <li>
                      The initial default response timeout has been reduced from 300,000
                      milliseconds (five minutes) to 30,000 milliseconds (30 seconds) for most
                      types of operations, including add, bind, compare, delete, modify, and
                      modify DN operations, as well as for certain types of extended operations.
                      Search operations and non-whitelisted extended operations will continue to
                      use the original default response timeout of 300,000 milliseconds.  Using a
                      shorter response timeout for operations that should complete quickly helps
                      avoid blocking for an unreasonably long period of time if the server is
                      unresponsive.  A long default timeout is still required for search
                      operations because it is possible for very expensive searches to take a
                      very long time before returning any kind of response messages.  It is still
                      possible to set a default response type that applies to all types of
                      operations, but it is now also possible to customize the default response
                      timeout separately for each type of operation, and per request OID for
                      extended operations.  It also remains possible to set a custom response
                      timeout for each individual request using the
                      <tt>LDAPRequest.setResponseTimeoutMillis</tt> method.
                    </li>
                    <li>
                      A number of system properties have been defined that can be used to override
                      the LDAP SDK's default value for a number of settings in the
                      <tt>LDAPConnectionOptions</tt> class, including the default connect and
                      response timeouts.  All of these new system properties are defined in String
                      constants in the <tt>LDAPConnectionOptions</tt> class and are listed in the
                      Javadoc documentation for that class.
                    </li>
                  </ul>
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.3</h3>

              <p>
                The following changes were made between the 4.0.2 and 4.0.3 releases:
              </p>

              <ul>
                <li>
                  Fixed a bug in the way that signatures were generated and verified for X.509
                  certificates and PKCS #10 certificate signing requests.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.2</h3>

              <p>
                The following changes were made between the 4.0.1 and 4.0.2 releases:
              </p>

              <ul>
                <li>
                  Added a new <tt>manage-certificates</tt> tool that can be used to simplify the
                  management of client and server certificates in Java keystores.  It serves as a
                  user-friendly replacement for the Java keytool utility, and it offers features
                  that keytool does not, including support for importing and exporting private
                  keys, a simplified interface for trusting a TLS server certificate, and a
                  mechanism for reporting on the suitability of a specified certificate for use as
                  a TLS server certificate.  The <tt>com.unboundid.util.ssl.cert</tt> package
                  includes a number of utility classes that can also be used to interact with
                  keys, certificates, and certificate signing requests.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>Entry.diff</tt> method to make it possible to perform a
                  byte-for-byte comparison of attribute values instead of using the matching rule
                  associated with each attribute type.  This makes it possible to detect changes
                  that result in a logically-equivalent value, like replacing the value of a
                  case-insensitive attribute with a value that differs only in capitalization.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>PasswordReader.readPasswordChars</tt> method that can be used to
                  read a password as a character array.  It was previously only possible to read a
                  password as a byte array.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPConnection.closeWithoutUnbind</tt> method that can be used
                  to close a connection without first sending an LDAP unbind request.  This
                  practice is generally discouraged, but it can be useful in cases where it is
                  known that the connection is no longer valid, and especially in cases where an
                  attempt to send a request over the connection could cause the client to block.
                  Connection pool implementations have been updated to use this method whenever
                  they are closing a connection that is believed to be invalid.
                  <br><br>
                </li>

                <li>
                  Improved support for validating object identifiers.  While the LDAP SDK offered
                  some support for determining whether a string represented a valid numeric OID,
                  there were some types of validation that it did not perform.  In particular, it
                  did not check to ensure that the numeric OID had at least two components, that
                  the first component had a value between zero and two, or that the second
                  component had a value between zero and thirty-nine if the first component had a
                  value of zero or one.  The <tt>OID</tt> class now provides an option for
                  performing this more strict validation.  There is also a new
                  <tt>OIDArgumentValueValidator</tt> class that can be used to ensure that a
                  command-line argument represents a valid OID, and this validator can operate
                  either with or without this new strict validation.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could cause the LDAP SDK to leak a connection if it is
                  configured with an <tt>SSLSocketVerifier</tt> and that verifier rejects the
                  connection for some reason.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could cause the LDAP SDK to unnecessarily block for the full
                  response timeout duration if an error occurred while attempting to send a
                  simple bind request on a connection configured to operate in synchronous mode.
                  At present, the only known circumstance in which the problem might appear is the
                  case in which the connection is configured with an <tt>SSLSocketFactory</tt> and
                  the server does not provide any response whatsoever to the attempt to begin TLS
                  negotiation.
                  <br><br>
                </li>

                <li>
                  Added support for new ASN.1 element types, including bit string, object
                  identifier, generalized time, UTC time, UTF-8 string, IA5 string, printable
                  string, and numeric string.  Also, added support for a new integer variant that
                  is backed by Java's <tt>BigInteger</tt> class and allows for integer values of
                  any magnitude.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ASN1Element</tt> class to add methods to make it easier to
                  determine the BER type class for an element and to determine whether the
                  primitive/constructed bit is set.
                  <br><br>
                </li>

                <li>
                  Added support for a new uniqueness request control that can be used to indicate
                  that the associated add, modify, or modify DN request should be rejected if the
                  server detects that it would introduce a value that is already in use in the
                  server.  This is a nonstandard control that is currently only supported by the
                  Ping Identity Directory Server.  The <tt>ldapmodify</tt> tool has been updated
                  to make it possible to send requests that include this control.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>searchrate</tt> tool to support setting the size limit, time
                  limit, alias dereferencing policy, and typesOnly flag in search requests.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to include support for the
                  UnboundID-proprietary ignore NO-USER-MODIFICATION request control.  This
                  control can be included in an add request to permit the client to set values for
                  attributes that are typically only allowed to be set by the server.
                  <br><br>
                </li>

                <li>
                  Updated the password policy state extended operation to add new operation types
                  that make it possible to determine whether the target user has a static
                  password, and the <tt>manage-account</tt> tool has been updated to support this
                  operation.  In addition, a new account usability notice has been added that can
                  be included in an account usability response if the target user does not have a
                  static password.
                  <br><br>
                </li>

                <li>
                  Updated the argument parser to add the ability to hide subcommand names and
                  argument identifiers.  For convenience, you can assign multiple names to the
                  same subcommand, and you can assign multiple identifiers to the same argument.
                  In the past, all subcommand names and argument identifiers would be displayed in
                  the usage information, but this could result in a lot of clutter.  There may be
                  cases in which you want to allow multiple values but not display them all in the
                  usage.  When adding an additional subcommand name or argument identifier, you
                  can now indicate whether it should be omitted from the tool's generated usage
                  information.
                  <br><br>
                </li>

                <li>
                  Improved the quality of LDAP request debug messages.  The messages will now
                  include the internal connection ID, connection name, connection pool name, the
                  address and port of the server to which the request is being sent, and the LDAP
                  message ID for the request.  The debug messages for abandon and unbind requests
                  are now more consistent with the debug messages for other types of requests,
                  and the LDAP SDK now does a better job of debugging SASL bind requests.
                  <br><br>
                </li>

                <li>
                  Updated the OID reference to include the OID for the UnboundID-proprietary
                  password update behavior request control.
                  <br><br>
                </li>

                <li>
                  Updated the set of LDAP-related specifications to include RFC 8284, which
                  defines an LDAP schema for supporting XMPP in white pages.  The former
                  draft-kille-ldap-xmpp-schema draft has been removed because the new RFC
                  supersedes it.
                  <br><br>
                </li>

                <li>
                  Updated the set of LDAP-related specifications to include specifications for
                  certificate-related RFCs, including 2986 (PKCS #10), 5208 (PKCS #8),
                  5280 (X.509), 7292 (PKCS #12), and 8017 (PKCS #1).
                  <br><br>
                </li>

                <li>
                  Updated the set of LDAP-related specifications to include the most recent
                  revision of the draft-seantek-ldap-pkcs9 draft.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.1</h3>

              <p>
                The following changes were made between the 4.0.0 and 4.0.1 releases:
              </p>

              <ul>
                <li>
                  Added a new <tt>JVMDefaultTrustManager</tt> class that can be used to
                  automatically trust any certificate signed by an authority that the JVM
                  considers trusted by default.  The command-line tool framework has been
                  updated so that if you don't explicitly specify a trust behavior, it will now
                  check the JVM-default trust manager before prompting about whether to trust
                  the server certificate.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to add support for encoding clear-text
                  passwords using a pluggable mechanism.  For example, you can automatically have
                  clear-text passwords transformed so that they are stored as the base64-encoded
                  representation of a salted message digest.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to indicate which attributes will be
                  treated as password attributes.  Any password attribute can be used to provide
                  credentials for a bind operation, and the values of password attributes will be
                  encoded with the configured password encoder (if any).  The server was formerly
                  hard-coded to use userPassword as the password attribute, and this is still the
                  default configuration, but it is now possible to configure the server to use one
                  or more other attributes instead of or in addition to userPassword.
                  <br><br>
                </li>

                <li>
                  Added support for a new password update behavior request control.  This control
                  can be used in an upcoming release of the Ping Identity Directory Server to
                  override the behavior the server would otherwise have used for a number of
                  password-related properties (e.g., whether the password update is a self change
                  or an administrative reset, whether to allow a pre-encoded password, which
                  password storage scheme to use, etc.).  The ldapmodify tool has been updated to
                  make it easy to include this control in add and modify requests.
                  <br><br>
                </li>

                <li>
                  Updated the identify-unique-attribute-conflicts example tool to provide support
                  for identifying conflicts between combinations of attributes.  For example, you
                  can use this feature to identify cases in which there may be duplicate uid
                  values within the same organization, but ignore duplicate uid values for users
                  in different organizations.
                  <br><br>
                </li>

                <li>
                  Fixed an OSGi problem in the jar file manifest.  When the LDAP SDK supported
                  Java 1.5 or later, the correct value for the Bundle-RequiredExecutionEnvironment
                  property was "J2SE-1.5".  When we updated the LDAP SDK to require Java 7 or
                  later, the value of this property was updated to be "J2SE-1.7" instead of the
                  correct new value of "JavaSE-1.7".
                  <br><br>
                </li>

                <li>
                  Fixed a problem that prevented the complete set of argument validation from
                  being performed when running a tool in interactive mode.  In particular, the
                  interactive mode framework did not perform validation related to required,
                  exclusive, and dependent argument sets.
                  <br><br>
                </li>

                <li>
                  Fixed an issue with the way that command-line tools handled trailing arguments
                  in interactive mode.  If the tool didn't require any trailing arguments but
                  allowed any number of them to be provided, then interactive mode did not allow
                  trailing argument values to be provided.
                  <br><br>
                </li>

                <li>
                  Fixed an issue with the way that relative paths were handled in command-line
                  tools run in interactive mode.  When a Java <tt>File</tt> object is created from
                  a relative path rather than an absolute path, the <tt>getParentFile()</tt>
                  method may return <tt>null</tt>, and this could cause the LDAP SDK to
                  incorrectly believe that the file's parent didn't exist.  To avoid this, the
                  LDAP SDK now uses <tt>getAbsoluteFile().getParentFile()</tt> in order to get the
                  parent for any <tt>File</tt> that may have been created from a relative path.
                  <br><br>
                </li>

                <li>
                  Fixed an issue with command-line tools that default to interactive mode that
                  could arise if the tool is invoked without any arguments, but if it tries to use
                  a properties file referenced by an environment variable or JVM property.  If the
                  properties file contained some but not all of the arguments needed to invoke the
                  tool, the command-line tool framework would still try to invoke the tool with
                  just the arguments from the properties file, which could result in erratic
                  behavior, unexpected errors, or uncaught exceptions.  The tool will now launch
                  in interactive mode to allow the missing arguments to be specified.
                  <br><br>
                </li>

                <li>
                  The ldapsearch tool has been updated so that the base DN argument is now
                  optional in all circumstances.  Previously, you had to explicitly provide either
                  a base DN or an LDAP URL file, but this created a usability problem if you ran
                  ldapsearch in interactive mode and wanted to search with a null base DN (that
                  is, the DN with the empty string representation).  Now, if you don't provide
                  either a base DN or an LDAP URL file, then ldapsearch will assume a null base
                  DN.
                  <br><br>
                </li>

                <li>
                  Updated the class-level Javadoc documentation for a number of classes that
                  implement controls and extended requests and responses.  If it takes an
                  encoded value, the Javadoc documentation now describes the encoding for that
                  value.
                  <br><br>
                </li>

                <li>
                  Fixed a couple of problems with message format strings that had incorrect
                  property references (for example, they referenced "{1}" when they should have
                  referenced "{0}" as the first argument).  The LDAP SDK build process has been
                  updated to better catch these kinds of problems.
                  <br><br>
                </li>

                <li>
                  Improved the <tt>ByteStringBuffer.append(CharSequence)</tt> method so that it
                  will be much more efficient for <tt>CharSequence</tt> implementations in which
                  iterating through the characters using the <tt>charAt(int)</tt> method is
                  expensive.
                  <br><br>
                </li>
              </ul>

              <p></p>



              <h3>Version 4.0.0</h3>

              <p>
                The following changes were made between the 3.2.1 and 4.0.0 releases:
              </p>

              <ul>
                <li>
                  The LDAP SDK now requires Java SE 7 or later.  It was previously possible to
                  build and run the LDAP SDK with Java SE 1.5 or later, but now neither Java SE
                  1.5 nor Java SE 1.6 are supported.  We officially support Java SE 7 and 8.
                  There are known issues with building the LDAP SDK in early access versions of
                  Java SE 9, but a version of the LDAP SDK built on Java SE 7 or 8 should run
                  without problems under Java SE 9.
                  <br><br>
                </li>

                <li>
                  We no longer maintain separate editions of the LDAP SDK.  Previously, we had
                  three different editions:  Standard Edition, Commercial Edition, and Minimal
                  Edition.  While there were valid reasons for them in the past, those reasons no
                  longer apply, and it is simpler to maintain just a single edition.  The new
                  edition is simply called "UnboundID LDAP SDK for Java", and it contains all of
                  the content that had previously been in the Commercial Edition (which was itself
                  a superset of the Standard Edition, which was a superset of the Minimal Edition).
                  <br><br>
                </li>

                <li>
                  The GitHub repository for the UnboundID LDAP SDK for Java has been moved into
                  the Ping Identity organization.  The URL to the repository has changed from
                  <a href="https://github.com/unboundid/ldapsdk">https://github.com/unboundid/ldapsdk</a>
                  to <a href="https://github.com/pingidentity/ldapsdk">https://github.com/pingidentity/ldapsdk</a>,
                  but a redirect is in place to ensure that clients using the old URL are
                  automatically transferred to the new location.
                  <br><br>
                </li>

                <li>
                  The content in the open source repositories for the LDAP SDK (on GitHub at
                  <a href="https://github.com/pingidentity/ldapsdk">https://github.com/pingidentity/ldapsdk</a>
                  and on SourceForge at
                  <a href="https://sourceforge.net/p/ldap-sdk/code/HEAD/tree/">https://sourceforge.net/p/ldap-sdk/code/HEAD/tree/</a>)
                  now matches the content in the internal repository.  The full source code for
                  all LDAP SDK unit tests is now available, along with some supporting build
                  components.
                   <br><br>
                </li>

                <li>
                  Fixed a bug in the logic for parsing DNs with RDN values that used a raw BER
                  encoding, which is indicated in the string representation by starting an
                  attribute value with the octothorpe (#) character.  The LDAP SDK would
                  incorrectly use the entire set of bytes (representing the BER type, length, and
                  value of the BER element) following the octothorpe character as the attribute
                  value instead of just the BER value.
                   <br><br>
                </li>

                <li>
                  Fixed a bug in the LDAP connection pool that could cause the pool to lose a
                  connection if createIfNecessary is false and if the replaceDefunctConnection
                  method was called but could not successfully create a new connection.  If this
                  happened enough times, the pool could run out of connections, and it would
                  refuse to create new ones.
                   <br><br>
                </li>

                <li>
                  Fixed a bug that could cause the LDAP SDK to use the same message ID for all
                  stages of a multi-stage SASL bind instead of using a different message ID for
                  each stage.
                   <br><br>
                </li>

                <li>
                  Fixed a bug in the in-memory directory server LDIF import code that prevented
                  imported entries from being subjected to the configured schema.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the in-memory directory server's handling of LDAP subentries.
                  The server could incorrectly return entries that are not LDAP subentries in
                  response to a search request that included the LDAP subentries request control.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could cause tools to incorrectly launch in interactive mode
                  even if default values for some tool arguments were provided through a
                  properties file.
                  <br><br>
                </li>

                <li>
                  Updated the ldapmodify tool to fix a bug that could cause it to use an exit code
                  of zero even if an error was encountered while reading LDIF data.  It would have
                  always used a nonzero exit code for unrecoverable LDIF parsing errors, but the
                  exit code may not have indicated a problem if the error was recoverable and the
                  tool was able to continue parsing subsequent LDIF records.
                  <br><br>
                </li>

                <li>
                  Updated the ldapmodify tool to fix a bug that could cause it to incorrectly use
                  an exit code of zero when processing operations as part of a transaction but the
                  attempt to commit the transaction was unsuccessful.
                  <br><br>
                </li>

                <li>
                  Updated the ldapsearch tool so that the -T argument is associated with the
                  tool-specific --dontWrap argument rather than the generic --trustStorePassword
                  argument that is normally the case for other LDAP tools.  This provides better
                  backward compatibility with other versions of the ldapsearch tool.
                   <br><br>
                </li>

                <li>
                  Updated the ldapsearch tool to add support for the --skipResolvingExplodedIndexes,
                  --fastShortCircuitThreshold, and --slowShortCircuitThreshold options for the
                  matching entry count request control.  These options had previously been
                  overlooked.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the ldapsearch tool that caused it to omit all attributes when
                  run with the --typesOnly argument, indicating that attributes should be returned
                  without any values.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the LDAP SDK argument parser that involved reading Boolean
                  arguments from a properties file.  If a Boolean argument were assigned a value
                  of false in a properties file, that argument would incorrectly be listed among
                  the command-line arguments obtained from the properties file.
                   <br><br>
                </li>

                <li>
                  Updated all copyright notices to reference Ping Identity rather than UnboundID.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK documentation to use Ping Identity branding.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK documentation to include an LDAPv3 wire protocol reference
                  document that provides in-depth coverage of the ASN.1 Basic Encoding Rules (BER)
                  and all kinds of LDAP request and response messages with annotated examples.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK documentation to include a new LDAP result code reference
                  document.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK documentation to include a new LDAP OID reference document.
                  <br><br>
                </li>

                <li>
                  Updated the set of LDAP-related specifications to include RFC 2926 (Conversion
                  of LDAP Schemas to and from SLP Templates), RFC 2985 (PKCS #9: Selected Object
                  Classes and Attribute Types Version 2.0), RFC 4226 (HOTP: An HMAC-Based One-Time
                  Password Algorithm), and RFC 6238 (TOTP: Time-Based One-Time Password
                  Algorithm).
                  <br><br>
                </li>

                <li>
                  Updated the set of LDAP-related specifications to include the latest revisions
                  of the draft-kille-ldap-xmpp-schema, draft-seantek-ldap-pkcs9, and
                  draft-wibrown-ldapssotoken drafts.
                  <br><br>
                </li>

                <li>
                  Updated the build-time collection of information about the source repository to
                  include support for git in addition to the existing support for subversion.  If
                  the LDAP SDK is checked out from a git repository, the generated
                  com.unboundid.ldap.sdk.Version class will now include the repository URL and
                  revision ID associated with that git repository.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 3.2.1</h3>

              <p>
                The following changes were made between the 3.2.0 and 3.2.1 releases:
              </p>

              <ul>
                <li>
                  Updated the documentation to indicate that non-public feedback, feature
                  enhancements, support requests, and other kinds of communication should now be
                  sent to ldapsdk-support@pingidentity.com instead of
                  ldapsdk-support@unboundid.com. We also now recommend using the GitHub issue
                  tracker over the SourceForge mailing lists and discussion forums for bug
                  reports and feature requests.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the RDN parsing code that could cause multiple consecutive spaces
                  in the middle of an attribute value to be condensed down to a single space.  The
                  string representation of the RDN was preserved correctly, but the methods used
                  to retrieve attribute values as strings or byte arrays returned the values
                  without all of the spaces.
                  <br><br>
                </li>

                <li>
                  Provided better handling for <tt>InterruptedException</tt> exceptions.  A
                  thread's interrupted state will now be preserved for cases in which the LDAP SDK
                  consumes an <tt>InterruptedException</tt> without doing something to handle it.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the support for the ANONYMOUS SASL mechanism that could cause the
                  trace string to be omitted from the encoded bind request sent to the directory
                  server.
                  <br><br>
                </li>

                <li>
                  Updated the searchrate tool to provide support for generic controls, as well as
                  specific support for the assertion, simple paged results, and server-side sort
                  request controls.
                  <br><br>
                </li>

                <li>
                  Updated the authrate tool to add a new <tt>--bindOnly</tt> argument allows you
                  to indicate that the tool should only perform bind operations, and should omit
                  the initial search used to find the entry for the target user.  The base DN
                  pattern will be used to construct the bind DN.
                  <br><br>
                </li>

                <li>
                  Updated the authrate tool to provide support for generic search and bind
                  controls, as well as specific support for the authorization identity and
                  password policy request controls.
                  <br><br>
                </li>

                <li>
                  Updated the search-and-mod-rate tool to provide support for generic search and
                  modify controls, as well as specific support for the assertion, simple paged
                  results, permissive modify, pre-read, and post-read request controls.
                  <br><br>
                </li>

                <li>
                  Added a <tt>Schema.getSchema</tt> method that can read schema information (in
                  LDIF form) from an input stream.  This is in addition to the existing
                  <tt>getSchema</tt> methods that can be used to read schema from an LDAP server
                  and from one or more LDIF files.
                  <br><br>
                </li>

                <li>
                  Updated the support for the GSSAPI SASL mechanism to make it possible to
                  explicitly indicate whether the client should be a GSSAPI initiator or acceptor
                  in the generated configuration file.
                  <br><br>
                </li>

                <li>
                  Updated the support for the server-side sort request control to add constructors
                  that allow the sort keys to be provided in a list as an alternative to the
                  existing varargs version that allows them to be provided in an array.
                  <br><br>
                </li>

                <li>
                  Updated the support for the matched values request control to add constructors
                  that allow the matched values filters to be provided in a list as an alternative
                  to the existing varargs version that allows them to be provided in an array.
                  <br><br>
                </li>

                <li>
                  Updated the identify-unique-attribute-conflicts tool to include a time limit in
                  search requests intended to determine whether a unique attribute value may also
                  be in use in any other entries.  This can help limit the effect of running the
                  tool against a server that is not configured with the appropriate indexes to
                  ensure that equality searches targeting the unique attributes can be processed
                  efficiently.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to respect the client-requested time
                  limit if that limit is exceeded because of a processing delay that has been
                  configured for the server.
                  <br><br>
                </li>

                <li>
                  Improved the Javadoc documentation for the argument parser to indicate that
                  arguments provided to the <tt>addDependentArgumentSet</tt>,
                  <tt>addExclusiveArgumentSet</tt>, and <tt>addRequiredArgumentSet</tt> methods
                  must have already been registered with the argument parser.
                  <br><br>
                </li>

                <li>
                  Improved the Javadoc documentation for the JSON support to better describe the
                  behavior of the <tt>toString</tt>, <tt>toSingleLineString</tt>, and
                  <tt>toNormalizedString</tt> methods, and to make it clear that the
                  <tt>JSONString.toString</tt>tt> method includes the surrounding quotation marks
                  and may have special characters escaped, and the <tt>stringValue</tt>tt> method
                  should be used to obtain the unquoted and unescaped value.
                  <br><br>
                </li>

                <li>
                  Updated the set of LDAP-related specifications to include a reference to the
                  draft-ietf-ldapext-ldap-c-api specification.
                  <br><br>
                </li>

                <li>
                  Added a new version of the <tt>ldapsearch</tt> tool that provides a lot of
                  additional functionality.  It includes much better output formatting
                  (including support for alternate output formats, including JSON, CSV, and
                  tab-delimited text), support for a number of data transformations, more robust
                  connection handling, support for referrals, support for a large number of search
                  and bind controls, support for administrative sessions, support for unsolicited
                  notifications, the ability to process multiple searches with search criteria
                  provided in filter files or LDAP URL files, rate limiting, and the ability to
                  send results to a specified output file (or a separate output file per search).
                  <br><br>
                </li>

                <li>
                  Added a <tt>GetUserResourceLimitsResponseControl.getOtherAttribute</tt> method
                  that makes it more convenient to get an "other" attribute by name.
                  <br><br>
                </li>

                <li>
                  Implemented caching for the matching rule instance used when the
                  jsonObjectExactMatch matching rule is requested.  This matching rule only
                  exists in the Commercial Edition and needs to be loaded via reflection, but that
                  can be expensive if it's done a lot.  Caching the result means that we only need
                  to pay that cost once.
                  <br><br>
                </li>

                <li>
                  Updated the access and error log parsing APIs to include support for the
                  triggeredByConn and triggeredByOp fields used to indicate that the message is
                  associated with a given operation.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 3.2.0</h3>

              <p>
                The following changes were made between the 3.1.1 and 3.2.0 releases:
              </p>

              <ul>
                <li>
                  Added a new <tt>transform-ldif</tt> tool that can be used to apply a number of
                  transformations to data in an LDIF file, and to make these transformations
                  available for programmatic use.  This includes:
                  <ul>
                    <li>
                      The ability to scramble, replace, redact, or exclude a specified set of
                      attributes.
                    </li>
                    <li>
                      The ability to replace existing values with a specified attribute, or with a
                      generated value that includes a sequential counter.
                    </li>
                    <li>
                      The ability to add a given set of attribute values to entries matching a
                      specified set of criteria.
                    </li>
                    <li>
                      The ability to exclude entries matching a specified set of criteria.
                    </li>
                    <li>
                      The ability to rename attributes.
                    </li>
                    <li>
                      The ability to replace the base DN for entries in a specified subtree.
                    </li>
                    <li>
                      The ability to flatten a DIT, to ensure that all entries more than one level
                      below a specified base DN are moved so that they are directly below that
                      base DN.
                    </li>
                  </ul>
                  <br><br>
                </li>

                <li>
                  Updated the <tt>EntryValidator</tt> class and the <tt>validate-ldif</tt> tool to
                  provide additional options.  It can now check to see if all attribute values
                  contained in an entry's RDN are also present in the entry attributes, can ignore
                  attribute syntax violations on a per-attribute basis, and can check attribute
                  values for compliance with a number of UnboundID-specific attribute type
                  constraints, including X-ALLOWED-VALUE, X-VALUE-REGEX, X-MIN-VALUE-LENGTH,
                  X-MAX-VALUE-LENGTH, X-MIN-VALUE-COUNT, X-MAX-VALUE-COUNT, X-MIN-INT-VALUE, and
                  X-MAX-INT-VALUE.
                  <br><br>
                </li>

                <li>
                  Updated all classes that offer a <tt>public void close()</tt> method that
                  doesn't throw any exceptions other than a possible <tt>IOException</tt> so that
                  they implement the <tt>java.io.Closeable</tt> interface.  This includes classes
                  like <tt>LDAPConnection</tt>, <tt>LDAPConnectionPool</tt>, <tt>LDIFReader</tt>,
                  <tt>LDIFWriter</tt>, all <tt>EntrySource</tt> implementations, and others.  This
                  allows code using these classes to take advantage of the try-with-resources
                  facility introduced in Java SE 7.
                  <br><br>
                </li>

                <li>
                  Added support for parsing entries that contain information about the operations
                  processed in the server, using the syntax described in the
                  draft-chu-ldap-logschema-00 draft.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>modrate</tt> tool to make a number of improvements, including:
                  <ul>
                    <li>
                      The <tt>--valueCount</tt> argument can be used to specify the number of
                      values to use for replace modifications.
                    </li>
                    <li>
                      The <tt>--increment</tt> argument can be used to indicate that the tool
                      should perform increment modifications rather than replace modifications.
                      The <tt>--incrementAmount</tt> argument can specify the amount by which
                      values should be incremented (or decremented, in the case of a negative
                      value).
                    </li>
                    <li>
                      The <tt>--assertionFilter</tt> argument can be used to include an LDAP
                      assertion request control in modify requests so that the change will only be
                      applied if the target entry matches the specified filter.
                    </li>
                    <li>
                      The <tt>--permissiveModify</tt> argument can be used to include a permissive
                      modify request control in modify requests.
                    </li>
                    <li>
                      The <tt>--preReadAttribute</tt> and <tt>--postReadAttribute</tt> arguments
                      can be used to include the pre-read or post-read request control in modify
                      requests.
                    </li>
                    <li>
                      The <tt>--control</tt> argument can be used to include arbitrary controls in
                      modify requests.
                    </li>
                  </ul>
                  <br><br>
                </li>

                <li>
                  Added a new <tt>JSONBuffer</tt> class that can be used to efficiently construct
                  the string representation of a JSON object, and a <tt>JSONObjectReader</tt>
                  class that can be used to read JSON objects from an input stream.
                  <br><br>
                </li>

                <li>
                  Added the ability to generate formatted, multi-line string representations of
                  JSON objects with better human readability.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to add support for the LDAP no-operation
                  control as described in draft-zeilenga-ldap-noop-12.
                  <br><br>
                </li>

                <li>
                  Dramatically improved the robustness for both the
                  <tt>identify-references-to-missing-entries</tt> and
                  <tt>identify-unique-attribute-conflicts</tt> tools.  They now use connection
                  pools with automatic retry in the event of an error that indicates the
                  connection may no longer be valid.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>base64</tt> command-line tool that can be used to encode and
                  decode data using the base64 format.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to make it possible to specify the character set to use
                  when reading LDIF data.  Previously, the character set was always assumed to be
                  UTF-8.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF writer to make it possible to automatically include a comment
                  below any base64-encoded values that provides a non-base64-encoded
                  representation (with special characters escaped) of the preceding value.
                  <br><br>
                </li>

                <li>
                  Dramatically simplified the exception message used if it is not possible to
                  establish a connection to the directory server.
                  <br><br>
                </li>

                <li>
                  Updated the command-line argument parser to provide support for subcommands
                  with their own distinct sets of arguments.
                  <br><br>
                </li>

                <li>
                  Updated the command-line argument parser to add support for timestamp arguments,
                  whose values are either timestamps in generalized time format (which explicitly
                  specifies the time zone), or timestamps in the form YYYYMMDDhhmm,YYYYMMDDhhmmss,
                  or YYYYMMDDhhmmss.uuu (generalized time without a time zone specifier) that will
                  be assumed to be in the local time zone.  A new timestamp range argument value
                  validator can be used to ensure that timestamp values are only permitted to be
                  within a specified range.
                  <br><br>
                </li>

                <li>
                  Updated the command-line argument parsing framework to add support for an IP
                  address argument value validator.  This can be used to configure an argument to
                  only accept properly-formed IPv4 or IPv6 addresses.
                  <br><br>
                </li>

                <li>
                  Updated the command-line tool API to provide the ability to default to
                  interactively prompting for bind passwords when appropriate.  Tools would
                  previously only prompt for a password if explicitly requested to do so using the
                  <tt>--promptForBindPassword</tt> argument.
                  <br><br>
                </li>

                <li>
                  Updated the command-line tool API to provide the ability for tools to
                  offer an <tt>--outputFile</tt> argument that causes them to send their output
                  to a specified file.  It can be paired with the <tt>--teeOutput</tt> argument to
                  cause the output to be sent to both the specified file and to the console.  The
                  <tt>--appendToOutputFile</tt> argument will cause the tool to append to an
                  existing output file rather than overwriting it.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP command-line tool API to make the <tt>--bindDN</tt> and
                  <tt>--saslOption</tt> arguments are mutually exclusive.  None of the supported
                  SASL mechanisms make use of a bind DN, and combining these options is only
                  likely to cause confusion.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>SSLUtil</tt> methods for creating SSL server sockets so that
                  their enabled protocols will be set more intelligently.  This was already in
                  place for SSL client sockets, but had been overlooked for server sockets.
                  <br><br>
                </li>

                <li>
                  Updated the aggregate trust manager to provide a more useful error message when
                  none of the nested trust managers accept a presented certificate.
                  <br><br>
                </li>

                <li>
                  Updated the rate adjustor so that when using a rate tool to generate a sample
                  rate data file, the resulting file will now include a number of additional
                  examples of common rate patterns, including square, stairstep, sine, sawtooth,
                  triangle, and hockey stick.
                  <br><br>
                </li>

                <li>
                  Updated the command-line tool API so that if any tool registers a shutdown hook
                  (to allow it to perform cleanup in the event of an unexpected graceful JVM
                  termination), that shutdown hook will be de-registered if the tool completes its
                  processing without an unexpected JVM shutdown.
                  <br><br>
                </li>

                <li>
                  Added a utility class for reading a file containing entry DNs.  Blank lines and
                  lines containing comments will be ignored.  Each DN must be on a line by itself,
                  and it may optionally be prefixed by "dn:".  It is also possible to include
                  base64-encoded DNs prefixed by "dn::".
                  <br><br>
                </li>

                <li>
                  Added a utility class for reading a file containing search filtersNs.  Blank
                  lines and lines containing comments will be ignored.  Each filter must be on a
                  line by itself.
                  <br><br>
                </li>

                <li>
                  Updated the code used to parse a search filter from its string representation to
                  support up to 100 levels of nesting rather than the previous maximum of 50
                  levels.
                  <br><br>
                </li>

                <li>
                  Added new convenience methods and constructors for use when programmatically
                  creating schema elements.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPBindException.toLDAPResult</tt> and
                  <tt>LDAPExtendedOperationException.toLDAPResult</tt> methods so that they return
                  the underlying <tt>BindResult</tt> or <tt>ExtendedResult</tt> rather than
                  creating a new generic <tt>LDAPResult</tt>
                  <br><br>
                </li>

                <li>
                  Updated the Netscape Directory API migration support to make it possible to
                  abandon a search operation with an <tt>LDAPSearchResults</tt> object.
                  <br><br>
                </li>

                <li>
                  Updated the JNDI migration support to make it possible to specify a context base
                  DN when converting between an LDAP SDK entry and a JNDI search result.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK documentation to include the latest revisions of updated
                  IETF drafts, including draft-seantek-ldap-pkcs9 and draft-wibrown-ldapssotoken.
                  <br><br>
                </li>

                <li>
                  Added a version of the <tt>ldapmodify</tt> tool with support for a wide range of
                  features, including a wide range of controls, LDAP transactions and multi-update
                  operations, following referrals, bulk operation processing, rate limiting, and
                  automatically retrying operations that fail in a manner that indicates the
                  connection may no longer be usable.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>manage-account</tt> tool that can be used to perform a large
                  number of password policy state operations on a specified user entries, or on
                  sets of user entries.  This tool is completely backwards-compatible with the
                  <tt>manage-account</tt> tool formerly provided with UnboundID server products
                  (and in fact, that tool has now been replaced with the version included in the
                  LDAP SDK), but the new tool provides support for many more operations, and much
                  better support for bulk operations that target multiple users instead of just
                  one.  The LDAP SDK's support for the password policy state extended operation
                  has also been updated to make it possible to take advantage of a number of new
                  operation types.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>split-ldif</tt> tool that can be used to split a single LDIF
                  file so that entries below a given base DN are split into multiple distinct
                  sets.  This may be useful for preparing data for use with the Directory Proxy
                  Server in an entry-balancing deployment.  The data may be split according to a
                  number of types of criteria.
                  <br><br>
                </li>

                <li>
                  Added support for a new task that can be used to trigger the rotation of one
                  or more server log files.
                  <br><br>
                </li>

                <li>
                  Added support for "generate TOTP shared secret" and "revoke TOTP shared secret"
                  extended operations, which can be used to help automate the process of
                  configuring a user account to support two-factor authentication with the
                  UNBOUNDID-TOTP SASL mechanism.  A new <tt>generate-totp-secret</tt> command-line
                  tool is also provided, which can be used to invoke these extended operations from
                  the command line.
                  <br><br>
                </li>

                <li>
                  Added support for the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL
                  mechanism, which can be used to indicate that a user has attempted to
                  authenticate through some mechanism that is external to the Directory Server,
                  but allows the server to override a successful authentication attempt to
                  indicate a failure (e.g., if the user's account is in an unusable state, like
                  being disabled or locked, or having an expired password), or to perform any
                  appropriate state processing (e.g., to update the last login time and IP address
                  for a successful authentication, or the failure count for a failed attempt).
                  <br><br>
                </li>

                <li>
                  Added support for parsing the new index monitor attributes used for counting
                  keys near and over the index entry limit that have been accessed while
                  processing search and update operations.  Also updated the log parsing API to
                  support parsing the corresponding elements from access log messages.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the <tt>summarize-access-log</tt> tool that could cause it to
                  take a very long time to process log messages for search operations with certain
                  types of very deeply-nested filters.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 3.1.1</h3>

              <p>
                The following changes were made between the 3.1.0 and 3.1.1 releases:
              </p>

              <ul>
                <li>
                  Updated the <tt>AddRequest</tt> constructor that allows you to create an add
                  request from lines that compose the LDIF representation so that you can use an
                  LDIF add change record (including the "<tt>changetype: add</tt>" line, and
                  optionally including one or more controls) as an alternative to providing the
                  LDIF representation of an entry.
                  <br><br>
                </li>

                <li>
                  Added two new LDAP listener request handler implementations that can be used to
                  limit the load that LDAP clients are able to impose on the server.  The
                  concurrent request limiter implementation imposes a limit on the number of
                  requests that may be processed simultaneously.  The rate limiter implementation
                  imposes a limit on the maximum rate of operations that may be processed in a
                  particular time period.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in which the LDAP connection pool statistics were not always
                  properly updated after an unsuccessful attempt to establish a new connection for
                  use in the pool.
                  <br><br>
                </li>

                <li>
                  Updated LDAP command-line tools to provide a new "<tt>--helpSASL</tt>" argument
                  that can be used to display information about the supported SASL mechanisms and
                  the SASL options available for each mechanism.
                  <br><br>
                </li>

                <li>
                  Updated the command-line argument parser to the use of a properties file for
                  obtaining default values for a specified set of arguments.  This can help
                  administrators define a properties file with commonly-used argument values
                  (e.g., LDAP server address, port, TLS settings, bind DN, etc.) so that they do
                  not need to be explicitly specified in the set of arguments when running a tool.
                  Command-line tools can choose to enable or disable this feature, and tools that
                  enable it will also have an option to generate a template file that makes it
                  easier to specify the desired properties for that file.
                  <br><br>
                </li>

                <li>
                  Updated the command-line argument parser to support assigning group names to
                  arguments.  This allows related arguments to be grouped together in the usage
                  information obtained with the "<tt>--help</tt>" argument.
                  <br><br>
                </li>

                <li>
                  Updated command-line tools to provide alternate long identifiers for a number of
                  arguments.  This primarily covers the difference between camelCase versus
                  dash-separated words (e.g., what was previously only available as
                  "<tt>--bindDN</tt>" can now alternately be specified as "<tt>--bind-dn</tt>").
                  <br><br>
                </li>

                <li>
                  Updated the documentation to include the most recent versions of a number of
                  LDAP-related specifications.
                  <br><br>
                </li>

                <li>
                  Added client-side support for a new UNBOUNDID-YUBIKEY-OTP SASL mechanism that
                  can be used to perform single-factor or two-factor authentication using a
                  one-time password generated by a YubiKey device.
                  <br><br>
                </li>

                <li>
                  Added client-side support for a pair of extended operations that can be used to
                  register or deregister YubiKey OTP devices for use by a specified user.
                  <br><br>
                </li>

                <li>
                  Updated the matching entry count request control to provide support for new
                  options that allow the client to have some control over the balance between how
                  quickly the matching entry count estimate should be obtained versus how accurate
                  that estimate should be.  In particular, it is now possible for the client to
                  control the short-circuit threshold, and to indicate whether to actually
                  retrieve entry ID sets from exploded indexes in the case that the number of
                  entries in the set is already known.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 3.1.0</h3>

              <p>
                The following changes were made between the 3.0.0 and 3.1.0 releases:
              </p>

              <ul>
                <li>
                  Updated the command-line tool API to make it possible to run tools in an
                  interactive mode.  This mode, which is enabled by default in most of the example
                  tools that ship with the LDAP SDK, allows the tool to prompt the user for the
                  values of all the connection and authentication details, as well as for any
                  tool-specific required properties.  It will then display a menu that can be used
                  to edit the arguments, run the tool with the specified settings, and display the
                  command-line arguments to run the tool with those settings in non-interactive
                  mode.
                  <br><br>
                </li>

                <li>
                  Updated the ldap-debugger tool to add the ability to generate source code that
                  can be used to process all of the operations passing through it.  The
                  in-memory directory server has also been updated to provide a similar
                  capability.  This can help make it easier to migrate applications written using
                  other APIs to the UnboundID LDAP SDK.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP connection pool to make it possible to configure a minimum
                  available connection goal.  If set, the connection pool will try to maintain at
                  least this many connections available for immediate use.  This can help avoid
                  application performance problems that can result if the pool is empty and
                  connections must be created on-demand for new requests.
                  <br><br>
                </li>

                <li>
                  Added support for LDIF translators that can be used to transform LDIF change
                  records when reading from or writing to LDIF.  These translators are especially
                  useful when using multiple threads to read or write multiple change records in
                  parallel.
                  <br><br>
                </li>

                <li>
                  Updated the GSSAPI bind request implementation to add the ability to obtain
                  credentials from a keytab, and to indicate that the configuration should be
                  refreshed before attempting the JAAS login.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to make it possible to use a specific
                  entry as the root DSE instead of the dynamically-generated version.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP listener framework and the in-memory directory server to make
                  it possible to limit the number of connections that may be established at any
                  given time.
                  <br><br>
                </li>

                <li>
                  Added new <tt>Entry.applyModifyDN</tt> methods that can be used to retrieve a
                  new entry that reflects the changes associated with processing a modify DN
                  operation against that entry.  In addition to updating the DN for the entry, it
                  will also apply any appropriate attribute changes for the entry's new RDN.
                  <br><br>
                </li>

                <li>
                  Improved support for the LDAP SDK's automatic selection of enabled TLS protocols
                  to improve compatibility with TLS implementations that do not support the most
                  recent TLS protocol offered by the JVM and also don't properly handle a TLS
                  client hello message that references the newer protocol.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK so that it will always throw an <tt>LDAPException</tt> if
                  the server returns a non-success result for a StartTLS extended operation.  It
                  was previously possible for the LDAP SDK to return a non-success result without
                  throwing an exception (as is the case for other types of extended operations),
                  but that could potentially cause the client to continue using a connection that
                  it incorrectly believed to be secure.
                  <br><br>
                </li>

                <li>
                  Added the ability to create a <tt>StartTLSPostConnectProcessor</tt> with an
                  <tt>SSLSocketFactory</tt> instead of an <tt>SSLContext</tt>.  Using a socket
                  factory created with the <tt>SSLUtil.createSSLSocketFactory</tt> will provide
                  better support for a the full range of enabled TLS protocols.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPBindException</tt> class that is a subclass of
                  <tt>LDAPException</tt> and can provide access to the server SASL credentials
                  returned to the client in a bind failure.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPExtendedOperationException</tt> class that is a subclass of
                  <tt>LDAPException</tt> and can provide access to the OID and value returned to
                  the client in an extended operation failure.
                  <br><br>
                </li>

                <li>
                  Improved the LDAP SDK's handling of connect timeouts to ensure that a connection
                  attempt is less likely to block for longer than the configured connect timeout.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP connection pool health check to add the ability to perform
                  validation after the pool performs a bind, either at the time a connection is
                  created or when the pool re-authenticates a connection as a result of a call to
                  <tt>bindAndRevertAuthentication</tt> or
                  <tt>releaseAndReAuthenticateConnection</tt>.
                  <br><br>
                </li>

                <li>
                  Added a new password expiration LDAP connection pool health check that can be
                  used to warn about or reject connections in which the bind result indicates a
                  current or upcoming password-policy-related problem like password expiration or
                  account lockout.
                  <br><br>
                </li>

                <li>
                  Added a new aggregate LDAP connection pool health check that can be used to
                  invoke multiple health checks as a single unit.
                  <br><br>
                </li>

                <li>
                  Added a new aggregate post-connect processor that can be used to invoke multiple
                  post-connect processors as a single unit.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP command-line tool API to make it possible to specify more
                  options when creating a connection pool using the settings provided via
                  command-line arguments.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK to include Java implementations from Azul Systems in the
                  whitelist of JVMs that permit concurrent socket factory use by default.
                  <br><br>
                </li>

                <li>
                  Fixed a potential thread safety problem in the
                  <tt>LDAPConnectionPool.releaseAndReAuthenticateConnection</tt> method.
                  <br><br>
                </li>

                <li>
                  Deprecated the <tt>LDAPConnectionOptions</tt> support for auto-reconnect.  It
                  has always been inherently fragile and only useful under limited circumstances.
                  Using a connection pool, even when only a single connection is expected at any
                  given time, is a much more reliable and feature-rich way to achieve the same
                  benefits.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to be more permissive when encountering mismatches
                  between the declared attribute description for a modification and the
                  attribute description provided with the set of values.  It will now accept
                  differences in the order of attribute options, and, if a schema is available,
                  will accept equivalent names (or the numeric OID) for an attribute type.  It
                  can also handle the case in which the binary transfer option was not included
                  in the initial attribute description but is used in one or more values.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to make it possible to specify the trailing space
                  behavior when using static methods to decode LDIF entries and change records.
                  <br><br>
                </li>

                <li>
                  Added minimal constructors for a number of argument types that assume common
                  values for a number of properties.  Also added default placeholder strings for
                  arguments so that it is not always necessary to provide a non-null value when
                  creating an argument.
                  <br><br>
                </li>

                <li>
                  Improved the argument descriptions for arguments in performance testing tools
                  (including searchrate, modrate, authrate, and search-and-modrate) to provide the
                  URL to online documentation that describes complete details for the value
                  pattern syntax.
                  <br><br>
                </li>

                <li>
                  Updated the methods used to retrieve schema information from the directory
                  server so that they use the correct "(objectClass=subschema)" filter and will
                  request all user attributes in addition to the schema-related operational
                  attributes.  Also, ensure that schema entries read from LDIF files always
                  include at least the top, ldapSubentry, and subschema object classes.
                  <br><br>
                </li>

                <li>
                  Removed the <tt>@ThreadSafety</tt> annotation from the
                  <tt>ThreadSafetyLevel</tt> enum class, since an enum should not be marked with
                  an annotation whose argument list includes a value of that enum.  This will also
                  eliminate a compile warning when building a Scala application that uses the LDAP
                  SDK.
                  <br><br>
                </li>

                <li>
                  Updated the way that the LDAP SDK maintains thread-local buffers used for
                  building LDAP messages.  Previously, the LDAP SDK would create thread-local
                  buffers and maintain them for the life of the threads used to construct LDAP
                  messages.  It will now only maintain these buffers as long as there is at least
                  one connection established.  Once all connections are closed, any buffers that
                  may have been created will be freed.
                  <br><br>
                </li>

                <li>
                  Updated the documentation to include the most recent versions of a number of
                  LDAP-related specifications.
                  <br><br>
                </li>

                <li>
                  Added support for a new "name with entryUUID" control that can be included in an
                  add request to indicate that the resulting entry should use the server-generated
                  entryUUID as the naming attribute.
                  <br><br>
                </li>

                <li>
                  Added support for a new get password policy state issues request control that
                  may be included in a bind request under certain circumstances to obtain
                  detailed information about notices, warnings, and errors pertaining to the
                  password policy state for the user trying to authenticate.
                  <br><br>
                </li>

                <li>
                  Updated support for the password policy state extended operation to provide
                  access to additional information, including the last authentication time,
                  the account activation time, and summaries of the notice, warning, and error
                  conditions for the user's password policy state.
                  <br><br>
                </li>

                <li>
                  Added support for a new task that can be used to synchronize encryption settings
                  definitions between server instances within the same topology.
                  <br><br>
                </li>

                <li>
                  Added new result codes that may be used to obtain information about the status
                  of an attempt to deliver a one-time password, a password reset token, or a
                  single-use token.
                  <br><br>
                </li>

                <li>
                  Added a new start administrative session post-connect processor that can be used
                  to create a connection pool in which the connections are part of an
                  administrative session.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 3.0.0</h3>

              <p>
                The following changes were made between the 2.3.8 and 3.0.0 releases:
              </p>

              <ul>
                <li>
                  Make the UnboundID LDAP SDK for Java available via GitHub at
                  <a href="https://github.com/UnboundID/ldapsdk">https://github.com/UnboundID/ldapsdk</a>.
                  The SourceForge subversion repository, mailing lists, and discussion forums will
                  continue to be maintained in addition to the new GitHub support.
                  <br><br>
                </li>

                <li>
                  The LDAP SDK now includes support for using a JSON-based configuration to
                  specify a number of settings that can be used to create LDAP connections and
                  connection pools.  This includes options for connecting to a single server or
                  selecting from a group of servers using a number of algorithms, securing
                  communication with SSL or StartTLS, and authenticating connections using simple
                  or SASL mechanisms.  Basic support for creating, parsing, and interacting with
                  general-purpose JSON objects is also available.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the LDIF reader's attribute parsing code that could prevent it from
                  using the correct matching rule for attributes read from LDIF.
                  <br><br>
                </li>

                <li>
                  Fix a bug that could cause the Schema class to throw a null pointer exception
                  when attempting to get the set of required or optional attribute type
                  definitions for an object class in the event that any of the superclasses were
                  not defined in the schema.
                  <br><br>
                </li>

                <li>
                  Add the ability to manually invoke a synchronous health check against an
                  LDAP connection pool, optionally with a different health check mechanism than
                  is otherwise configured for the pool.
                  <br><br>
                </li>

                <li>
                  Update the default LDAP connection pool configuration so that it no longer has
                  the possibility of blocking for up to five seconds while waiting for a
                  connection to be released if one is needed but none are immediately available.
                  <br><br>
                </li>

                <li>
                  Ensure that connection pool statistics are properly updated when a connection is
                  closed as a result of a health check failure.
                  <br><br>
                </li>

                <li>
                  Update support for parsing command-line arguments to add special support for
                  arguments that describe LDAP controls, and to add improved support for
                  ensuring that argument values match a number of common formats.
                  <br><br>
                </li>

                <li>
                  Improve support for establishing connections with a connect timeout to try to
                  separate the process of creating a socket and connecting it to the target
                  server whenever possible.
                  <br><br>
                </li>

                <li>
                  Add the ability to specify an alternate key or trust store type when running the
                  in-memory directory server via the command line.
                  <br><br>
                </li>

                <li>
                  Update the value pattern support to make it possible to access the contents of
                  files in sequential order.  It was previously only possible to access file
                  contents in random order.
                  <br><br>
                </li>

                <li>
                  Update the identify-unique-attribute-conflicts example tool to make it possible
                  to only identify conflicts in entries that match a given filter.
                  <br><br>
                </li>

                <li>
                  The Commercial Edition of the UnboundID LDAP SDK for Java is now open source
                  under the terms of the GNU General Public License version 2 and the GNU Lesser
                  General Public License version 2.1.  The Commercial Edition source code is
                  available in the GitHub repository at
                  <a href="https://github.com/UnboundID/ldapsdk">https://github.com/UnboundID/ldapsdk</a>.
                  <br><br>
                </li>

                <li>
                  Add support for a new JSON object filter mechanism, which can be used to perform
                  advanced matching against JSON objects stored in the Directory Server.
                  <br><br>
                </li>

                <li>
                  Add support for a new deliver password reset token extended operation that can
                  generate a single-use token and deliver it to a specified user through some
                  out-of-band mechanism (e.g., email, SMS, voice call, etc.).  This password reset
                  token can be provided to the password modify extended operation as an
                  alternative to the user's current password in order to allow that user to choose
                  a new password.
                  <br><br>
                </li>

                <li>
                  Add support for a new get password quality requirements extended operation that
                  can be used to retrieve information about the constraints that the server will
                  impose on user passwords.  A new set of password validation details request and
                  response controls can be used to obtain information about the result of any
                  validation performed against a password included in the associated request.
                  <br><br>
                </li>

                <li>
                  Add support for a new deliver single-use tokens extended operation that can be
                  used to generate and deliver single-use tokens for arbitrary purposes (e.g., for
                  validating a provided email address or phone number).  The new consume
                  single-use tokens extended operation can be used to consume those tokens after
                  they have been delivered.
                  <br><br>
                </li>

                <li>
                  Add support for a new get supported OTP delivery mechanisms extended operation
                  that can be used to determine which out-of-band mechanisms can be used to
                  deliver one-time passwords, password reset tokens, and other single-use tokens
                  to a specified user.
                  <br><br>
                </li>

                <li>
                  Add support for creating and interacting with the Directory Proxy Server's
                  reload global index task.
                  <br><br>
                </li>

                <li>
                  Update the matching entry count control to add the ability to determine whether
                  the associated search is considered indexed.
                  <br><br>
                </li>

                <li>
                  Add a new get changelog batch change selection criteria that can be used to
                  target only changelog entries that match a specific notification destination.
                  <br><br>
                </li>

                <li>
                  Update access log parsing support to provide the ability to get information
                  about any privileges used, or any required privileges that were missing, in the
                  course of processing an operation.
                  <br><br>
                </li>

                <li>
                  Update the javadoc documentation for all Commercial Edition classes to add a
                  note to help clarify that they are part of the Commercial Edition and are not
                  available in the Standard Edition of the LDAP SDK.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.8</h3>

              <p>
                The following changes were made between the 2.3.7 and 2.3.8 releases:
              </p>

              <ul>
                <li>
                  Fix a synchronization bug in the in-memory directory server that could
                  potentially cause a concurrent modification exception under concurrent load from
                  multiple connections.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>Filter.simplifyFilter</tt> method that can be used to simplify a
                  search filter in a manner that may allow some directory servers to process the
                  search more efficiently.  Some searches used within the persistence framework
                  have been updated to use this method to simplify the filters generated for those
                  searches.
                  <br><br>
                </li>

                <li>
                  Add a utility class that can be used to work with OIDs.
                  <br><br>
                </li>

                <li>
                  Update the documentation to include a number of LDAP specification documents,
                  including LDAP-related RFCs and Internet Drafts, as well as an OID reference and
                  a result code reference.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>UnboundIDChangelogEntry</tt> class to add support for the
                  upcoming ds-changelog-target-attribute attribute, which will indicate which
                  attributes were included in the associated change.
                  <br><br>
                </li>

                <li>
                  Updated the access log parsing framework to add support for the usedPrivileges
                  and missingPrivileges access log elements.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.7</h3>

              <p>
                The following changes were made between the 2.3.6 and 2.3.7 releases:
              </p>

              <ul>
                <li>
                  Update the logic used to control the default set of enabled SSL protocols.
                  SSLv3 is now disabled by default (in response to the recent POODLE bug that
                  could cause SSLv3 connections to be decrypted by a network observer), and the
                  set of enabled protocols is more broadly compatible than was previously the
                  case when running on IBM VMs.
                  <br><br>
                </li>

                <li>
                  Add the ability to perform validation on an <tt>SSLSocket</tt> immediately
                  after its establishment (regardless of whether the connection was initially
                  secured via SSL/TLS or secured after the fact with the StartTLS extended
                  operation).  This can be used to better perform hostname validation in a
                  more secure manner than was otherwise available through the trust manager
                  framework.  Also, add the ability to get access to the <tt>SSLSession</tt>
                  associated with a connection that has been secured via SSL/TLS or StartTLS.
                  <br><br>
                </li>

                <li>
                  Make a number of updates to GSSAPI support, including the ability to specify the
                  JAAS client name (which allows the use of a single JAAS configuration file with
                  a number of different configurations), the ability to customize the use of a
                  property indicating whether to allow credentials from outside the current
                  subject, and to suppress the alteration of a specified set of system properties
                  in the event that they had already been set by some other mechanism.
                  <br><br>
                </li>

                <li>
                  Add a new server set that can use round-robin DNS configurations to support
                  hostnames that resolve to multiple IP addresses.  The selection of which IP
                  address to use for a given connection may be made at random, in round-robin
                  order, or based on the order in which the addresses were returned from the name
                  service.
                  <br><br>
                </li>

                <li>
                  Update the connection pool to add a method that can be used to shrink the
                  current size of the pool to a specified number of connections.  This will have
                  no effect on the maximum size of the pool, but can reduce the number of
                  established connections if an earlier spike in utilization resulted in the
                  creation of a number of extra connections that are no longer needed.
                  <br><br>
                </li>

                <li>
                  Update the persistence framework to improve support for classes marked with
                  <tt>@LDAPObject</tt> that are subclasses of other classes marked with
                  <tt>@LDAPObject</tt>.  If a subclass does not define any RDN fields or getters,
                  they will now be inherited from a superclass.  If a subclass does not define any
                  default parent DN, then it will be inherited from a superclass.  DN fields and
                  entry fields defined in superclasses will now be properly handled.  The set of
                  attributes to request for inclusion in search result entries will also be
                  properly aggregated from all superclasses.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to make it possible to reject anonymous
                  binds, whether via simple or SASL authentication.  Note, however, that the
                  effect net effect on the authenticated state of the connection will be the same
                  as if it were successful, since a failed bind always results in an
                  unauthenticated connection.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to add a new interceptor API.  This API
                  can be used to alter client requests before they are processed by the server,
                  and to alter responses before they are returned to the client.
                  <br><br>
                </li>

                <li>
                  Update the DNS SRV record server set to make it possible to customize the set of
                  properties used to initialize the JNDI context to use when interacting with the
                  DNS server.
                  <br><br>
                </li>

                <li>
                  Add a new rate adjustor utility class that can be used in conjunction with the
                  fixed-rate barrier to adjust the rate over time based on a specified definition.
                  The searchrate, modrate, authrate, and search-and-mod-rate tools have been
                  updated to provide a new "<tt>--variableRateData</tt>" argument that makes it
                  possible to use this feature in conjunction with those tools.
                  <br><br>
                </li>

                <li>
                  Add the ability to programmatically interrupt the searchrate, modrate, authrate,
                  and search-and-mod-rate tools.
                  <br><br>
                </li>

                <li>
                  Add a new "database lock conflict" result code that may be returned by the
                  UnboundID Directory Server.
                  <br><br>
                </li>

                <li>
                  Expose the <tt>LDAPConnection.getStartTLSRequest</tt> method so that it can be
                  used by third-party code that might want to be able to process StartTLS
                  operations in the same way as had been performed for the associated connection.
                  <br><br>
                </li>

                <li>
                  Update the logic used for automatic referral following so that if a referral is
                  received over a connection secured via StartTLS, then the connection established
                  to follow that referral will also be secured via StartTLS.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the code responsible for automatically re-establishing a connection
                  if it becomes disconnected (which is only attempted if auto-reconnect is enabled
                  in the connection options).  If the connection had been secured with StartTLS,
                  the re-established connection was previously not secured in the same way.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the <tt>Entry.applyModifications</tt> method that could cause it to
                  reject a valid modifications that targets an attribute used in the entry's RDN
                  even if the modification would not alter the entry RDN.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the <tt>Entry.diff</tt> method when given a specific set of
                  attributes to process.  Attributes with options would be incorrectly excluded
                  from the attributes that were processed.
                  <br><br>
                </li>

                <li>
                  Fix a bug that could prevent active asynchronous operations from being notified
                  if the connection becomes disconnected.  Also, fix a bug that could prevent the
                  connection reader thread from waiting on a response to an asynchronous operation
                  that has timed out or been abandoned.
                  <br><br>
                </li>

                <li>
                  Fix a bug that could prevent parsing a DN or RDN that contains a zero-length
                  attribute value.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the way that a connection retained a handle to the last bind
                  request processed on that connection.  This could be incorrect in some cases if
                  the bind was processed using the UnboundID-proprietary retain identity request
                  control.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the prompt trust manager that could cause it to enter an infinite
                  loop if the end of the input stream was reached while waiting for confirmation
                  about whether to trust the certificate.
                  <br><br>
                </li>

                <li>
                  Eliminate a potential null pointer exception that could arise from a race
                  condition in the course of closing a connection.
                  <br><br>
                </li>

                <li>
                  Eliminate a potential illegal argument exception that could be thrown if an
                  attempt is made to close the pool using multiple threads if there are currently
                  no connections in the pool.
                  <br><br>
                </li>

                <li>
                  Make it easier to build the LDAP SDK with an external version of Apache ant
                  rather than the one included in the repository.  Also, make it possible to
                  build without invoking the checkstyle tool.
                  <br><br>
                </li>

                <li>
                  Add support for a get backend set ID control, which can be used to request that
                  the Directory Proxy Server return information about which entry-balancing
                  backend set(s) were used to process the associated operation.
                  <br><br>
                </li>

                <li>
                  Add support for a route to backend set control, which can be used to influence
                  the entry-balancing backend set(s) to which the Directory Proxy Server forwards
                  a request for processing.
                  <br><br>
                </li>

                <li>
                  Add support for a matching entry count control, which can be used to request
                  that the Directory Server or Directory Proxy Server return information about the
                  number of entries that match the search criteria rather than returning the
                  matching entries themselves.
                  <br><br>
                </li>

                <li>
                  Add support for a transaction settings request control that may be included in
                  an end transaction or atomic multi-update extended request to specify a number
                  of transaction-related settings that should be used when processing and
                  committing the transaction.
                  <br><br>
                </li>

                <li>
                  Add support for a number of extended operations that may be used to interact
                  with notification destinations and subscriptions in the UnboundID Directory
                  Server.
                  <br><br>
                </li>

                <li>
                  Update support for the set subtree accessibility extended request to make it
                  possible to atomically alter the accessibility of multiple subtrees in a single
                  request.
                  <br><br>
                </li>

                <li>
                  Add support for parsing alarm entries as exposed in the alarms backend.
                  <br><br>
                </li>

                <li>
                  Add support for retrieving and parsing the group cache monitor entry.
                  <br><br>
                </li>

                <li>
                  Add support for retrieving and parsing the recent CPU and memory usage monitor
                  entry.
                  <br><br>
                </li>

                <li>
                  Add support for retrieving and parsing the result code monitor entry.
                  <br><br>
                </li>

                <li>
                  Add support for retrieving and parsing gauge monitor entries.
                  <br><br>
                </li>

                <li>
                  Update the support for the processing time histogram monitor entry to make it
                  possible to retrieve information about extended operations, and to support an
                  upcoming format change for aggregate percent values.
                  <br><br>
                </li>

                <li>
                  Update the support for the load-balancing algorithm monitor entry to make it
                  possible to retrieve information about aggregate local and non-local health
                  check states, as well as the name of the load-balancing algorithm.
                  <br><br>
                </li>

                <li>
                  Update the deliver-one-time-password tool so that it provides a more useful
                  error message if the underlying extended request does not complete successfully.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.6</h3>

              <p>
                The following changes were made between the 2.3.5 and 2.3.6 releases:
              </p>

              <ul>
                <li>
                  Update the <tt>LDAPConnectionPool</tt> class to make it possible to specify a
                  health check that should be used for the initial set of connections established
                  when the pool is created.
                  <br><br>
                </li>

                <li>
                  Update the LDIF change record implementations to include support for change
                  records with request controls.
                  <br><br>
                </li>

                <li>
                  Update the GSSAPI and DIGEST-MD5 SASL mechanisms to provide support for the
                  auth-int and auth-conf quality of protection modes.
                  <br><br>
                </li>

                <li>
                  Update the DIGEST-MD5 SASL mechanism so that if the caller does not explicitly
                  specify a realm but the server suggests a default realm, the default realm will
                  be used.
                  <br><br>
                </li>

                <li>
                  Update the framework for processing asynchronous operations to make it more
                  convenient to invoke an add, compare, delete, modify, or modify DN operation in
                  cases in which the result will be obtained through the
                  <tt>java.util.concurrent.Future</tt> API and no async result listener is
                  desired.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>processRequestsAsync</tt> method to connection pool
                  implementations that can be used to cause multiple asynchronous add, compare,
                  delete, modify, modify DN, and/or search operations to be processed concurrently
                  on the same pooled connection.
                  <br><br>
                </li>

                <li>
                  Update the <tt>LDAPThreadLocalConnectionPool.getConnection</tt> method to use
                  the <tt>LDAPConnection,isConnected</tt> method to provide additional
                  verification that the connection is still established before returning it to
                  the caller.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the in-memory directory server support for the post-read response
                  control that caused the post-read entry to be generated before some updates
                  (e.g., those for operational attributes like modifiersName and modifyTimestamp)
                  had been processed.
                  <br><br>
                </li>

                <li>
                  Fix a potential thread safety bug in the get entry connection pool health check.
                  <br><br>
                </li>

                <li>
                  Add convenience constructors to make it easier to create a bind result, compare
                  result, or extended result from an <tt>LDAPException</tt>.
                  <br><br>
                </li>

                <li>
                  Add a convenience method that can be used to extract a password expired control
                  from an <tt>LDAPException</tt> just as easily as from an <tt>LDAPResult</tt>.
                  <br><br>
                </li>

                <li>
                  Add support for the retire password and purge password request controls.  Also
                  update the password policy state extended request to support a number of
                  operations for interacting with retired passwords, and update the access log
                  parser to support the new <tt>retiredPasswordUsed</tt> element that may appear
                  in bind response messages.
                  <br><br>
                </li>

                <li>
                  Add support for load-balancing algorithm monitor entries.
                  <br><br>
                </li>

                <li>
                  Update the class-level documentation for the start interactive transaction
                  extended request to indicate that it is no longer recommended for use, and to
                  suggest alternative means of achieving atomicity and/or bulk operations.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.5</h3>

              <p>
                The following changes were made between the 2.3.4 and 2.3.5 releases:
              </p>

              <ul>
                <li>
                  Fix a bug in the LDIF writer that could cause it to write the original entry
                  rather than a new entry generated by an <tt>LDIFWriterEntryTranslator</tt>.
                  <br><br>
                </li>

                <li>
                  Fix a bug that could cause the LDAP SDK to enter an infinite loop when attempting
                  to read data from a malformed intermediate response.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the parsing and generation of the string representation of search
                  filters that contain non-UTF-8 data.
                  <br><br>
                </li>

                <li>
                  Ensure that the LDIF representation of modify change records includes a trailing
                  dash after the last change, in strict accordance with the LDIF specification in
                  RFC 2849.
                  <br><br>
                </li>

                <li>
                  Update the LDIF writer to add a new <tt>writeVersionHeader</tt> method that can
                  be used to ensure that the "version:&nbsp;1" header is written to the LDIF
                  output.  In addition, the LDIF reader's static <tt>decodeEntry</tt> and
                  <tt>decodeChangeRecord</tt> methods have been updated to handle the case in which
                  the provided entry or change record has a first line that is the version header.
                  The LDIF reader already handled this header in normal parsing, but the static
                  methods that could be used for decoding individual records did not properly
                  support this capability.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to provide support for enforcing a maximum
                  search size limit.
                  <br><br>
                </li>

                <li>
                  Improve debugging support for response messages for connections operating in
                  synchronous mode.
                  <br><br>
                </li>

                <li>
                  Dramatically improve code examples included in class-level javadoc comments.  All
                  code examples are now covered by unit tests to ensure that the code is valid, and
                  many of the examples have been improved to be more useful and production quality.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>FewestConnectionServerSet</tt> class that can be used to cause
                  connections to be established to the server with the fewest number of established
                  connections (based only on connections already created by that server set
                  instance).  This can help ensure that the distribution of connections across
                  multiple servers remains relatively even.
                  <br><br>
                </li>

                <li>
                  Update the <tt>FailoverServerSet</tt> to make it possible to specify an alternate
                  maximum connection age that will be used for "failover" connections (i.e.,
                  connections established to any server except the first server in the list, or that
                  are created using any server set other than the first set in the list).  This will
                  only have any effect if the server set is used to create an
                  <tt>LDAPConnectionPool</tt>, but it can be used to help ensure a faster fail-back
                  to a "preferred" configuration after a connection failure is encountered.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>LDAPConnection.getLastCommunicationTime</tt> method that can be
                  used to determine the time that the connection was last used to send a request or
                  read a response (and therefore determine how long the connection has been idle).
                  <br><br>
                </li>

                <li>
                  Add a new <tt>LDAPConnectionPool.getConnection</tt> method that can be used to
                  request a connection to a particular server by providing the address and port of
                  the target server.  This is primarily useful when the connection pool may contain
                  connections to multiple servers, but a specific server is desired for handling a
                  particular request.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>LDAPConnectionPool.discardConnection</tt> method that can be used
                  to indicate that the provided connection is no longer needed and should be
                  closed without creating a new connection to take its place.  This can be used to
                  reduce the number of connections in the pool if desired.
                  <br><br>
                </li>

                <li>
                  Update the connection pool so that by default, connections will be closed and
                  re-established as a result of the maximum connection age only by the background
                  health check.  Previously, the pool would also check the age of a connection
                  whenever that connection was released back to the pool, but in busy applications
                  this could result in multiple connections being closed and re-established
                  concurrently, which could have a significant performance impact on the directory
                  server.
                  <br><br>
                </li>

                <li>
                  Update the connection pool so that it is possible to set a different maximum
                  connection age for connections that were created to replace defunct connections
                  than connections that were created under normal conditions.  This can help
                  ensure a faster fail-back to a more normal allocation of connections in a pool
                  that may have connections balanced across multiple servers.
                  <br><br>
                </li>

                <li>
                  Add new <tt>addAttribute</tt> and <tt>setAttribute</tt> methods to the entry
                  class that make it possible to specify multiple string values for the attributes
                  using a collection.
                  <br><br>
                </li>

                <li>
                  Add two new example tools:  identify-references-to-missing-entries (which can be
                  used to identify any entries which contain attributes whose values are DNs that
                  reference nonexistent entries), and identify-unique-attribute-conflicts (which
                  can be used to identify any values for an attribute or set of attributes that
                  appear in multiple entries).
                  <br><br>
                </li>

                <li>
                  Provide a more useful error message if a client-side timeout is encountered while
                  waiting for the response to a request.  Previously, this message would only
                  include the type of operation that timed out.  It now also includes the LDAP
                  message ID for the operation, as well as additional operation-specific
                  information about the request.
                  <br><br>
                </li>

                <li>
                  Provide a more useful error message if a problem is encountered during SASL bind
                  processing when one or more unhandled callbacks were encountered during
                  processing.
                  <br><br>
                </li>

                <li>
                  Update the GSSAPI bind request to make it possible to specify a server name that
                  is different from the address used to establish the connection to that server.
                  <br><br>
                </li>

                <li>
                  Define a new system property that can be used to specify the default SSL/TLS
                  protocol that should be used for secure communication.  It is still possible to
                  programmatically specify the default protocol using the
                  <tt>SSLUtil.setDefaultSSLProtocol</tt> method.
                  <br><br>
                </li>

                <li>
                  Add the ability to provide an <tt>SSLSocketFactory</tt> as an alternative to an
                  <tt>SSLContext</tt> when creating a StartTLS extended request.
                  <br><br>
                </li>

                <li>
                  Update the StartTLS post-connect processor to include a client-side timeout in
                  the StartTLS extended request if appropriate.
                  <br><br>
                </li>

                <li>
                  Update the prompt trust manager to make it possible to determine whether the
                  trust manager would interactively prompt the user about a certificate.
                  <br><br>
                </li>

                <li>
                  Omit the "entriesReturned" and "referencesReturned" elements from the string
                  representation of a search result if those values are not known.  Previously,
                  these elements would be included with a value of "-1" in such cases.
                  <br><br>
                </li>

                <li>
                  Add support for a new list configurations extended operation, which may be used
                  to request information about active, baseline, and archived configurations
                  available to the server, and a get configuration extended operation, which may
                  be used to retrieve a specific version of the configuration.  These are primarily
                  intended for use in processing performed by the new config-diff tool, but may be
                  useful in other contexts as well.
                  <br><br>
                </li>

                <li>
                  Add support for a get backup compatibility descriptor extended operation, and for
                  an identify backup compatibility problems extended operation.  These operations
                  may be used to help determine whether a backup taken from one server instance can
                  be successfully restored into another server instance.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.4</h3>

              <p>
                The following changes were made between the 2.3.3 and 2.3.4 releases:
              </p>

              <ul>
                <li>
                  A bug in the Oracle javadoc tool (as described in
                  <a href="http://www.kb.cert.org/vuls/id/225657">VU#225657</a>) could cause
                  javadoc documentation generated by vulnerable versions of that tool to include a
                  javascript flaw that could allow an attacker to craft a URI that could cause an
                  arbitrary page to be displayed.  The LDAP SDK javadoc documentation is now
                  generated with an updated version of the javadoc tool that no longer contains
                  this vulnerability.
                  <br><br>
                </li>

                <li>
                  Fix a connection pool bug that could cause a connection to be unnecessarily
                  closed and re-established in the course of processing a simple bind operation if
                  the connection was configured to operate in synchronous mode.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the LDAP SDK schema parser that could prevent it from properly
                  decoding schema elements in which the closing parenthesis immediately followed an
                  OBSOLETE, SINGLE-VALUE, or NO-USER-MODIFICATION token without a space between the
                  token and the parenthesis.
                  <br><br>
                </li>

                <li>
                  Change the way the LDAP SDK maintains disconnect information to eliminate a
                  potential code flow that could allow multiple disconnect notifications for a
                  single disconnect.
                  <br><br>
                </li>

                <li>
                  Add support for the Microsoft DirSync control that may be used with Active
                  Directory in order to obtain information about changes that have been processed
                  in the server.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the entry validator class that could cause it to incorrectly
                  classify entries with multiple structural object classes as entries that were
                  missing a structural object class.
                  <br><br>
                </li>

                <li>
                  The LDAP command-line tool API has been updated so to provide new
                  "--promptForBindPassword", "--promptForKeyStorePassword", and
                  "--promptForTrustStorePassword" arguments.  These arguments may allow the
                  associated password to be interactively provided by the end user in a secure
                  manner as an alternative to requiring the password to be provided as a
                  command-line argument or stored in a clear-text file.
                  <br><br>
                </li>

                <li>
                  The LDAP command-line tool API has been updated to make it possible to create
                  tools that do not offer arguments for simple or SASL authentication.  This can
                  allow creating tools that may need to establish only unauthenticated connections.
                  <br><br>
                </li>

                <li>
                  Improve the argument validation used by LDAP command-line tools to help
                  avoid problems that result from arguments provided when they are not needed.
                  <br><br>
                </li>

                <li>
                  Add support for an extended operation and a SASL mechanism that can be used to
                  support multifactor authentication using a one-time password delivered to the
                  end user through some out-of-band mechanism (e.g., e-mail, SMS messages, etc.).
                  A command-line tool has also been provided that can be used to easily test the
                  ability to deliver one-time passwords to users, and the LDAP command-line tool
                  API has been updated to provide support for this new SASL mechanism.
                  <br><br>
                </li>

                <li>
                  Update the summarize-access-log tool to provide additional information, including
                  a breakdown of selected client connection policies and their relative
                  percentages, a breakdown of disconnect reasons and their relative percentages,
                  and information about the number and relative percentage of operations that
                  resulted in access to uncached data.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.3</h3>

              <p>
                The following changes were made between the 2.3.2 and 2.3.3 releases:
              </p>

              <ul>
                <li>
                  Fix a problem with the CSS file used to generate javadoc documentation that could
                  cause it to appear malformed when built with Java SE 7, even though it looked
                  fine when built with Java SE 6.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.2</h3>

              <p>
                The following changes were made between the 2.3.1 and 2.3.2 releases:
              </p>

              <ul>
                <li>
                  Update the <tt>LDAPConnectionPool</tt> class to make it possible to successfully
                  create a connection pool even if a failure is encountered while attempting to
                  establish one or more of the initial connections.
                  <br><br>
                </li>

                <li>
                  Update the <tt>LDAPConnectionPool</tt> class to make it possible to use multiple
                  threads to establish the initial set of connections more quickly.  This can
                  dramatically reduce the length of time required to create a pool, especially
                  when establishing a large number of connections and/or when connecting to a
                  remote or slow-to-respond server.  It is also now possible to use multiple
                  threads to close connections in parallel and optionally skip sending an unbind
                  request before closing the connections.
                  <br><br>
                </li>

                <li>
                  Update connection pooling support when connections are configured to
                  automatically retrieve schema information from the server.  In a connection
                  pool, it is now possible to cache the schema so that it will not be retrieved
                  for every connection that is established.
                  <br><br>
                </li>

                <li>
                  Update connection pool support to a method that can be used to process a bind,
                  and then immediately re-bind with the credentials that were initially used when
                  the connection was established.  Also add a method that can be used to release a
                  connection and have it be re-authenticated using the credentials that were
                  initially used when the connection was established.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to make it possible to specify multiple
                  schema files that will all be combined to generate the server schema.
                  <br><br>
                </li>

                <li>
                  Update the persistence framework so that the default object encoder includes
                  support for serialized objects.  This may result in attribute values that aren't
                  useful to non-Java clients, but may still provide a convenient way to store some
                  complex information in LDAP entries.
                  <br><br>
                </li>

                <li>
                  Update the persistence framework to provide a new <tt>getAll</tt> method that
                  makes it possible to retrieve all objects of the associated type below a given
                  base DN.
                  <br><br>
                </li>

                <li>
                  Update the generate-schema-from-source tool so that it will include default
                  values for the equality, ordering and/or substring matching rules for all
                  attribute types that it creates.
                  <br><br>
                </li>

                <li>
                  Update the generate-schema-from-source tool so that it provides a new
                  "--modifyFormat" argument that will cause the tool to generate new schema
                  elements as LDIF modify change records instead of as attributes in an LDIF
                  entry.
                  <br><br>
                </li>

                <li>
                  Update the javadoc for getter methods in the <tt>Filter</tt> class to make it
                  clearer which methods may be used with which filter types.
                  <br><br>
                </li>

                <li>
                  Update the javadoc for methods that may be used for performing searches, as well
                  as for methods that may be used to set search size and time limits, to make it
                  clear that if an LDAPSearchException is thrown, it may include information about
                  any entries and/or references that were returned before the exception was
                  thrown.
                  <br><br>
                </li>

                <li>
                  Update the <tt>SSLUtil</tt> class to the ability to specify the default SSL/TLS
                  protocol string that will be used for creating SSL contexts when the caller
                  doesn't explicitly specify a protocol.
                  <br><br>
                </li>

                <li>
                  Update the LDAP listener canned response request handler to add the ability to
                  return a specified set of entries and/or references for every search operation.
                  <br><br>
                </li>

                <li>
                  Ensure that disconnect information is always set for a connection that is being
                  closed.  If the connection is closed through an unexpected code path, then it
                  will now include a stack trace that provides information about the call path
                  that resulted in the connection closure.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>MultiServerLDAPCommandLineTool</tt> API that can be used to easily
                  create command-line tools that need to interact with multiple LDAP servers.
                  <br><br>
                </li>

                <li>
                  Update the LDAP SDK command-line tool API to add convenience methods for
                  registering a JVM shutdown hook that will be invoked when the JVM in which the
                  tool is running is shut down (e.g., when all non-daemon threads have completed
                  running the JVM receives a break or kill signal).
                  <br><br>
                </li>

                <li>
                  Add a convenience method to the <tt>LDIFAddChangeRecord</tt> class that makes it
                  easy to get the entry to be added.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>SASLBindInProgressException</tt> that extends
                  <tt>LDAPException</tt> and will be thrown instead of a generic
                  <tt>LDAPException</tt> if the server returns a "SASL bind in progress" result.
                  This will most likely occur when processing a SASL bind using the
                  <tt>GenericSASLBindRequest</tt> class.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>LDIFWriterEntryTranslator</tt> class that can be used to transform
                  or suppress entries to be written to an LDIF file.
                  <br><br>
                </li>

                <li>
                  Update the LDAP debugger tool so that it can be used to accept SSL-based
                  connections from clients.
                  <br><br>
                </li>

                <li>
                  Improve the <tt>Attribute.equals</tt> method to make it much more efficient for
                  attributes with multiple values.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>LDAPTestUtils.assertDNsEqual</tt> method that can be used to
                  ensure that two strings represent equivalent LDAP DNs.
                  <br><br>
                </li>

                <li>
                  Improve the amount of detail provided by the <tt>assertValueExists</tt> and
                  <tt>assertAttributeMissing</tt> methods in the <tt>LDAPTestUtils</tt> class if
                  the assertion fails.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the LDIF reader that could prevent it from properly handling
                  comment lines that had been wrapped.
                  <br><br>
                </li>

                <li>
                  Fix a synchronization bug in the round-robin server set that could cause it to
                  throw an exception under highly concurrent load.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the in-memory directory server that could cause it to send an
                  incorrectly-formatted search result done message for the case in which the size
                  size limit was exceeded.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the <tt>LDAPThreadLocalConnectionPool</tt> that could cause it to
                  establish an extra connection if a health check is configured for the pool and
                  the <tt>ensureConnectionValidForCheckout</tt> method indicates that the existing
                  connection is not valid.
                  <br><br>
                </li>

                <li>
                  Fix a bug that could prevent connections from using the referral behavior
                  specified in the LDAP connection options that were set after the connection was
                  already established.
                  <br><br>
                </li>

                <li>
                  Fix a number of bugs that could interfere with the ability for a connection to
                  be automatically re-established if it becomes invalid.
                  <br><br>
                </li>

                <li>
                  Update the <tt>DurationArgument</tt> class to eliminate its dependency on the
                  <tt>MINUTES</tt>, <tt>HOURS</tt>, and <tt>DAYS</tt> values for the
                  <tt>TimeUnit</tt> enum.  These values were not added until Java SE 6, and
                  attempts to use the <tt>DurationArgument</tt> class in a Java SE 5 environment
                  could result in errors.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the persistence framework in which the <tt>inModify</tt> element of
                  <tt>LDAPField</tt> and <tt>LDAPGetter</tt> annotations may not be honored if the
                  object being modified was retrieved from a directory and references a copy of
                  the original entry in a field marked with <tt>LDAPEntryField</tt>.
                  <br><br>
                </li>

                <li>
                  Fix a bug in the persistence framework that can interfere with the ability to
                  generate search filters when using annotated objects that extend other annotated
                  objects.
                  <br><br>
                </li>

                <li>
                  Fix a potential null pointer exception that could arise in some cases when
                  trying to use a connection that was not established.  An LDAP exception will now
                  be thrown instead.
                  <br><br>
                </li>

                <li>
                  Fix a potential null pointer exception that could be thrown when creating a
                  connection pool and a problem was encountered while attempting to establish one
                  of the initial connections after at least one connection had already been
                  established.
                  <br><br>
                </li>

                <li>
                  Fix a problem with the LDAP SDK build process that prevented building it with
                  Java SE 7, and clean up the code to remove a number of warnings generated when
                  building with Java SE 7.
                  <br><br>
                </li>

                <li>
                  Add support for a new multi-update extended operation that can be used to
                  request multiple updates in a single request.  The updates may optionally be
                  processed as a single atomic unit so that any failure encountered while
                  processing any of the operations will prevent any of the changes from being
                  applied.
                  <br><br>
                </li>

                <li>
                  Add support for a new UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism handler
                  that can be used to perform multifactor authentication using both a client
                  certificate and a password.
                  <br><br>
                </li>

                <li>
                  Add support for a new set of controls that can be used with a bind operation to
                  request information about a number of user resource limits, including the user's
                  size limit, time limit, idle time limit, lookthrough limit, group membership,
                  assigned privileges, default entry balancing authorization DN, and the name of
                  the client connection policy that would have been assigned to the user.
                  <br><br>
                </li>

                <li>
                  Add support for extended operations that can be used to get and set information
                  about restricted subtree accessibility in the server.  This makes it possible to
                  indicate that a specified subtree should be hidden or read-only except for
                  access by a specified user.  A command-line tool has been provided that can be
                  used to get and set the accessibility of a specified subtree in the server.
                  <br><br>
                </li>

                <li>
                  Add support for a control that can be used to indicate that updates for certain
                  operational attributes (e.g., last access time, last login time, last login IP
                  address, and lastmod attributes) should be suppressed for the associated
                  operation.
                  <br><br>
                </li>

                <li>
                  Add support for a set of controls that can be used in conjunction with assured
                  replication, in order to request the desired assurance level and receive
                  feedback about the level of assurance that was attained.
                  <br><br>
                </li>

                <li>
                  Add support for a control that can be used in conjunction with a delete or
                  modify DN operation to indicate that no referential integrity processing should
                  be performed for the associated operation.
                  <br><br>
                </li>

                <li>
                  Add support for a task that can be used to cause the server to re-encode
                  entries within a specified branch.  This can help transition existing data to
                  use encryption, compression, uncached content, or other altered encodings
                  without the need to export data to LDIF and re-import.
                  <br><br>
                </li>

                <li>
                  Add a class and command-line tool that can be used to help move a single entry
                  or a tree of entries from one server to another.  The move can be accomplished
                  using either interactive transactions or via restricted subtree accessibility.
                  <br><br>
                </li>

                <li>
                  Update support for the get changelog batch extended request to make it possible
                  to indicate whether to return modifications to and/or deletes of soft-deleted
                  entries.
                  <br><br>
                </li>

                <li>
                  Update the <tt>MonitorManager</tt> class so that methods for retrieving monitor
                  entries now allow <tt>LDAPInterface</tt> objects as an alternative to
                  <tt>LDAPConnection</tt>.
                  <br><br>
                </li>

                <li>
                  Update the <tt>SASLUtils</tt> class so that if the Commercial Edition classes
                  are available, then any Commercial Edition SASL mechanisms will be supported.
                  <br><br>
                </li>

                <li>
                  Update the log parsing API to add support for the new security negotiation,
                  entry rebalancing, and assured replication access log message types, and for the
                  uncachedDataAccessed element.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.1</h3>

              <p>
                The following changes were made between the 2.3.0 and 2.3.1 releases:
              </p>

              <ul>
                <li>
                  Fix a bug that could result in memory pressure with a high volume of
                  asynchronous operations.  This was a regression introduced by a change which
                  made it possible for timeouts to be honored for asynchronous operations.
                  <br><br>
                </li>

                <li>
                  Made a number of improvements to SSL support, including the addition of a new
                  aggregate trust manager (which can combine the result of multiple trust managers
                  when deciding whether to trust a certificate), a validity date trust manager
                  (which can reject a certificate based on its validity time period), and a
                  hostname trust manager (which can reject a certificate based on a conflict
                  between the expected server hostname and the value of the certificate's CN
                  subject attribute or a subjectAltName extension).  In addition, the prompt trust
                  manager now displays additional information, including MD5 and SHA-1
                  fingerprints, to allow the user to make more informed decisions about whether to
                  trust a certificate.
                  <br><br>
                </li>

                <li>
                  Updated support for the SASL EXTERNAL bind request so that it is now possible
                  to request an authorization identity element in the SASL credentials.  It is
                  now possible to create a SASL EXTERNAL bind request which does or does not
                  include SASL credentials.
                  <br><br>
                </li>

                <li>
                  Update the persistence framework to provide more complete support for modify
                  processing when the resulting entry may be altered via a post-encode method.  If
                  the object has a field marked with @LDAPEntryField, then the updated object will
                  be encoded and compared with the original entry to determine the appropriate set
                  of modifications.
                  <br><br>
                </li>

                <li>
                  Add a connection option that controls whether multiple threads will be allowed
                  to make concurrent use of the same socket factory instance to create multiple
                  connections.  A change introduced in the 2.3.0 release made all socket factory
                  interaction synchronized because it was observed that some IBM VMs do not
                  support concurrent use of an SSL socket factory instance.  The default behavior
                  is now to allow concurrent socket factory use for Sun and Oracle VMs, but to
                  require synchronized use in other VMs.  However, this default can be overridden
                  in the LDAPConnectionOptions class.
                  <br><br>
                </li>

                <li>
                  Add a new fastest connect server set implementation which attempts to connect to
                  all associated servers in parallel and will return the first connection to be
                  established.  This may increase the connect-time load across all servers, but
                  will minimize the length of time required to establish a connection in the event
                  that any of the servers is having a problem.
                  <br><br>
                </li>

                <li>
                  Update the LDIF reader to add new options which can be used to have more control
                  over the treatment of trailing spaces in non-base64-encoded values (reject,
                  strip, or retain) and the treatment of duplicate attribute values (reject,
                  strip, or retain).
                  <br><br>
                </li>

                <li>
                  Update the LDIF reader to add support for file URLs with relative paths.  By
                  default, these paths will be relative to the JVM's current working directory,
                  but it is possible to specify a custom base directory for relative paths.
                  <br><br>
                </li>

                <li>
                  Update the searchrate, modrate, and search-and-mod-rate tools to provide a new
                  "--iterationsBeforeReconnect" argument, which makes it possible to periodically
                  close and re-establish each connection.  The default behavior, in which each
                  thread will create its own connection that it will continue to use for the
                  entire run, has not changed.
                  <br><br>
                </li>

                <li>
                  Update the base64 encoding and decoding capabilities to support the base64url
                  encoding as described in RFC 4648 section 5.  Also, add support for base32
                  encoding and decoding as described in RFC 4648 section 6.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPCommandLineTool</tt> class to provide a new
                  <tt>getUnauthenticatedConnection</tt> method that can be used to obtain a
                  connection to the target server (including the use of SSL or StartTLS if so
                  configured) but without performing any authentication on that connection.  Also
                  make the <tt>createSSLUtil</tt> and <tt>createBindRequest</tt> methods public so
                  that they can be used by third-party code.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>DurationArgument</tt> class to provide a public static method
                  that can be used to parse a duration string to a numeric value based on a given
                  time unit.
                  <br><br>
                </li>

                <li>
                  Update the ResultCode class to make it possible to provide a user-friendly name
                  for result codes not defined in the out-of-the-box set included with the LDAP
                  SDK.
                  <br><br>
                </li>

                <li>
                  Change the way that localization message files are stored and referenced within
                  the code.  Some users have reported problems with their own applications having
                  properties files with names that conflict with properties file names used by
                  the LDAP SDK (e.g., "ldap.properties", "util.properties", etc.).  To avoid this
                  problem, all LDAP SDK property files now have names starting with
                  "unboundid-ldapsdk-".  In addition, the code has been updated to make even this
                  unlikely conflict less troublesome.
                  <br><br>
                </li>

                <li>
                  Updated the source for the Android LDAP client to use positional indicators in
                  format strings with multiple substitutions.  It appears this is now required for
                  recent versions of the Android SDK.
                  <br><br>
                </li>

                <li>
                  Add support for HMAC-based one-time passwords (HOTP, as described in RFC 4226)
                  and time-based one-time passwords (TOTP, as described in RFC 6238).  Also, add
                  support for a new UNBOUNDID-TOTP SASL mechanism, which can be used to perform
                  multifactor authentication (combining a TOTP code with a username and password)
                  to UnboundID Directory Server instances which support this mechanism, and a
                  validate TOTP password extended request that can be used to validate a TOTP
                  password without performing a bind on the connection.
                  <br><br>
                </li>

                <li>
                  Add a number of changes in support for soft delete and undelete functionality
                  in the UnboundID Directory Server.  This includes a soft delete request control
                  (to request a soft delete operation) and a corresponding response control, a
                  hard delete request control (to request an entry be completely removed), an
                  undelete request control (to request that a soft-deleted entry be restored), and
                  a soft-deleted entry access request control (to request that search results
                  include soft-deleted entries).  It also includes updates to access log parsing,
                  changelog entry parsing, and monitor entry parsing to expose information about
                  soft delete and undelete processing, and a new <tt>SoftDeletedEntry</tt> object
                  that can obtain information about a soft-deleted entry stored in the server.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.3.0</h3>

              <p>
                The following changes were made between the 2.2.0 and 2.3.0 releases:
              </p>

              <ul>
                <li>
                  Add a new <tt>DNSSrvRecordServerSet</tt> class, which is a <tt>ServerSet</tt>
                  implementation that can use DNS SRV records (as described in RFC 2782) to
                  discover available directory servers.  This new implementation can consider
                  defined priorities and weights for SRV records so that some servers may be
                  preferred over based on information contained in the DNS server.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>SASLUtils</tt> class that can be used to more easily work with
                  command-line tools that don't inherit from <tt>LDAPCommandLineTool</tt> but
                  may still need to perform SASL binds.  It provides methods for getting access to
                  supported SASL mechanisms and the options that they support.
                  <br><br>
                </li>

                <li>
                  Add a new <tt>com.unboundid.ldap.sdk.experimental</tt> package with classes that
                  may be used to support certain features that may still be works in progress and
                  have the potential to change significantly (including in incompatible ways) in
                  the future.  At present, this includes support for controls from
                  draft-behera-ldap-password-policy-10 and draft-zeilenga-ldap-noop-12.
                  <br><br>
                </li>

                <li>
                  Update the connection support for schema caching so that if multiple connections
                  reference equivalent schemas, then they will reference the same object rather
                  than separate equivalent objects.  This can dramatically reduce memory
                  consumption if schema caching is enabled.
                  <br><br>
                </li>

                <li>
                  Fix a bug that could cause the output of <tt>ByteStringBuffer.toByteString</tt>
                  to be unstable and reflect subsequent changes in the content of the associated
                  <tt>ByteBuffer</tt>.
                  <br><br>
                </li>

                <li>
                  Update support for asynchronous operations so that it is possible for them to
                  respect a configured timeout.  Previously, operation timeouts were ignored for
                  asynchronous operations.
                  <br><br>
                </li>

                <li>
                  Update the LDAP SDK persistence framework to add support for attributes with
                  options.  It is now possible to use attribute names with options.
                  <br><br>
                </li>

                <li>
                  Update the LDAP SDK persistence framework to make it possible to specify
                  superior object classes in the @LDAPObject annotation type.  If specified, these
                  object classes will be included in generated entries.  The
                  <tt>generate-source-from-schema</tt> tool has been updated to populate this
                  element if appropriate.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to make it possible to alter the server
                  schema using LDAP modify operations.  Only add and delete modifications will be
                  allowed for the attributeTypes, objectClasses, nameForms, dITContentRules,
                  dITStructureRules, and matchingRuleUse attributes.  No modifications will be
                  allowed for the ldapSyntaxes and matchingRules attributes.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to make it possible to customize schema
                  enforcement.  It is now possible to allow values which violate the associated
                  attribute syntax, and/or to allow entries which do not have exactly one
                  structural object class.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server so that it is possible to indicate that
                  equality indexes should be maintained for specified attributes.  If enabled, the
                  server may exhibit better performance for certain kinds of searches (those using
                  an equality component targeting an indexed attribute, including those which may
                  be included in AND or OR filters).
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to make it possible to perform simple and
                  SASL PLAIN binds directly against the server itself without the need to
                  establish a connection to it.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to make a number of logging-related
                  improvements.  A race condition which could cause incorrect entry counts to be
                  included in log messages has been fixed.  Log messages now include timestamps.
                  Access and/or LDAP debug messages can now be written to standard output.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server to make it possible to customize the
                  values included in the vendorName and vendorVersion attributes of the server
                  root DSE.  This can help make it easier for the in-memory server to impersonate
                  another type of directory to fool applications which will only work with certain
                  types of servers and which use these attributes to make that determination.
                  <br><br>
                </li>

                <li>
                  Update the in-memory directory server so that the authorization identity
                  response control will always use the "dn:" form of the authorization identity,
                  even for PLAIN binds that initially used the "u:" form.  Also, fix a bug in
                  which it would incorrectly return "dn:" instead of just "" for an anonymous
                  authorization identity.
                  <br><br>
                </li>

                <li>
                  Update connection pool health checking support to make it possible to more
                  quickly recognize server-initiated disconnects and unsolicited notifications for
                  connections operating in synchronous mode.
                  <br><br>
                </li>

                <li>
                  Update connection pool support for retrying failed operations to make it
                  possible to control the types of operations that should be retried.  It was
                  previously only possible to configure it on an all-or-nothing basis.
                  <br><br>
                </li>

                <li>
                  Update the default standard schema (which will be used by the in-memory
                  directory server unless configured to do otherwise) so that it includes
                  information about supported syntaxes and matching rules.  These ldapSyntaxes and
                  matchingRules values will be included in the schema exposed by the in-memory
                  directory server.
                  <br><br>
                </li>

                <li>
                  Update the LDIF reader to add static methods that make it easy to read entries
                  from an LDIF file and return them as a list.  This is a convenient way to read
                  entries from small LDIF files (e.g., for use in unit tests).
                  <br><br>
                </li>

                <li>
                  Improve the efficiency of the <tt>Entry.diff</tt> method when using reversible
                  form and working with entries with attributes that have a large number of
                  values.
                  <br><br>
                </li>

                <li>
                  Update the <tt>CommandLineTool</tt> class to provide an optional
                  <tt>getToolVersion</tt> method that may be used to retrieve the version string
                  for the associated tool.  If a version string is made available, then a new
                  "<tt>--version</tt>" argument may be automatically added to the tool to cause it
                  to display the version string.
                  <br><br>
                </li>

                <li>
                  Update the support for LDAP URLs to provide support for URLs with the "ldapi"
                  scheme.  Note that the LDAP SDK does not directly support LDAPI (although it may
                  be possible to use with a third-party library that provides support for UNIX
                  domain sockets), but it can now parse LDAP URLs with a scheme of "ldapi".
                  <br><br>
                </li>

                <li>
                  Update value pattern implementations to make it possible to specify a seed to
                  use for the random number generator, which can provide for more reproducible
                  results.  The searchrate, modrate, authrate, and search-adn-mod-rate tools have
                  been updated to add a <tt>--randomSeed</tt> argument that can be used to specify
                  a random seed if one is desired.
                  <br><br>
                </li>

                <li>
                  Update the validate-ldif tool to add support for working with gzip-compressed
                  LDIF files.
                  <br><br>
                </li>

                <li>
                  Update the <tt>LDAPException.toLDAPResult</tt> method so that it will use the
                  exception message as the diagnostic message for the resulting
                  <tt>LDAPResult</tt> object if the exception does not have a specific diagnostic
                  message.
                  <br><br>
                </li>

                <li>
                  Update the <tt>ObjectPair</tt> class to provide <tt>hashCode</tt>,
                  <tt>equals</tt>, and <tt>toString</tt> methods.
                  <br><br>
                </li>

                <li>
                  Update all uses of <tt>SocketFactory.createSocket</tt> methods are synchronized
                  on the associated socket factory.  In some implementations (including those used
                  by the IBM JVM), unsynchronized calls to these methods may result in unexpected
                  exceptions or other strange behavior.
                  <br><br>
                </li>

                <li>
                  Update support for the GSSAPI SASL mechanism to provide the ability to operate
                  in IBM JVMs.
                  <br><br>
                </li>

                <li>
                  Add support for new start and end administrative session extended operations.
                  <br><br>
                </li>

                <li>
                  Update changelog entry support to reflect a number of changes, including
                  information about suppressed attributes and virtual attributes.
                  <br><br>
                </li>

                <li>
                  Update support for the get changelog batch extended operation to make it
                  possible to indicate that the set of changelog entries to retrieve should be
                  filtered based on target attributes, and to indicate whether changelog entries
                  should be pared based on access control and sensitive attribute constraints
                  (optionally using the identity of another target user).
                  <br><br>
                </li>

                <li>
                  Add support for the new audit data security task, which can be used to examine
                  all entries in a specified set of backends for potential security-related
                  issues.
                  <br><br>
                </li>

                <li>
                  Update the support for the enter and leave lockdown mode tasks to make it
                  possible to specify a reason that the server is being placed in or taken out of
                  lockdown mode.
                  <br><br>
                </li>

                <li>
                  Update monitor entry support for the new FIFO entry cache and per-application
                  processing time histogram monitor entries.
                  <br><br>
                </li>

                <li>
                  Update monitor entry support for the general monitor entry to add support for
                  the new thirdPartyExtensionDN attribute.
                  <br><br>
                </li>

                <li>
                  Update monitor entry support for the UnboundID work queue to add support for new
                  attributes regarding the use of a separate thread pool for administrative
                  operations.
                  <br><br>
                </li>

                <li>
                  Update monitor entry support for the replication server monitor entry to add
                  support for the new ssl-encryption-available attribute.
                  <br><br>
                </li>

                <li>
                  Update the <tt>summarize-access-log</tt> tool to add support for working with
                  gzip-compressed access log files.
                  <br><br>
                </li>

                <li>
                  Update access log parsing support to add support for a number of new log fields,
                  including the use of an administrative session worker thread, add and modify
                  attribute names, search entry attributes returned, and search request size
                  limit, time limit, typesOnly, and dereference policy values.
                  <br><br>
                </li>

                <li>
                  Improve documentation for UnboundID-proprietary controls and extended
                  operations, and provide examples for elements that were missing them.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 2.2.0</h3>

              <p>
                The following changes were made between the 2.1.0 and 2.2.0 releases:
              </p>

              <ul>
                <li>
                  Introduced a new way of packaging the LDAP SDK in a way that results in a
                  significantly smaller jar file.  The Minimal Edition provides full support for
                  LDAP communication and LDIF parsing, but strips out a number of optional
                  features (e.g., SASL authentication, support for many controls and extended
                  operations, examples, the LDAP listener package and in-memory directory server,
                  the LDAP SDK persistence framework, migration support for JNDI and the Netscape
                  SDK, command-line argument parsing).  The Minimal Edition is primarily intended
                  for use in space-constrained environments (e.g., Android applications) in which
                  the smallest possible jar file is desired.
                  <br><br>
                </li>

                <li>
                  Updated connection pool implementations to make it possible to configure the
                  pools to automatically retry operations if the first attempt fails in a manner
                  that indicates the connection may no longer be valid.  In such cases, a new
                  connection will be created (which may be established to a different server if a
                  server set is used) and used to retry the failed operation.
                  <br><br>
                </li>

                <li>
                  Add the ability to make use of schema information when generating the normalized
                  representation of DNs and RDNs, and for more operations when interacting with
                  entries.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to add support for referential integrity
                  for delete and modify DN operations.  This can be used to remove or update
                  references to an entry if that entry is deleted or renamed.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to add support for LDAP transactions as
                  described in RFC 5805.  This can be used to add, delete, and/or modify multiple
                  entries as a single atomic unit.
                  <br><br>
                </li>

                <li>
                  Updated the in-memory directory server to add the ability to insert an arbitrary
                  delay before processing operations.  This can be useful in simulating
                  environments with slower response times or higher network latencies.
                  <br><br>
                </li>

                <li>
                  Improved support for GSSAPI authentication to add a number of new options,
                  including:  the ability to indicate whether a ticket cache should be  used, the
                  ability to specify an alternate path to the ticket cache file, the ability to
                  require the use of cached credentials, and the ability to request that the TGT
                  be renewed.  It is also easier to obtain GSSAPI debugging information.
                  <br><br>
                </li>

                <li>
                  Update the default standard schema to include a definition for the aci attribute
                  type, which is not standard but is supported by a number of directory servers
                  and may commonly appear in many data sets.  Also, update the groupOfNames and
                  groupOfUniqueNames object classes to make it possible to have groups without any
                  members which is nonstandard but allowed by many servers.  Finally, make it more
                  efficient to retrieve the default standard schema for subsequent calls.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPConnectionOptions</tt> object to add an option that can be
                  used to send an abandon request to the server whenever a client-side response
                  timeout has occurred.  Previously, the client would stop waiting for a response
                  but would not attempt to prevent the server from completing processing on the
                  operation.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to provide an option to read from multiple LDIF files.
                  If this option is used, then the contents of the files will be read in the order
                  they were provided (e.g., all the records will be read from the first file, then
                  all the records from the second file, etc.).  That is, this provides a way to
                  treat multiple LDIF files as if they were a single file.
                  <br><br>
                </li>

                <li>
                  Introduced new methods to make it much easier to work with response controls.
                  Each response control class now includes one or more static <tt>get</tt> methods
                  that can be used to retrieve and decode the control from a response message.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK persistence framework so that the
                  generate-source-from-schema tool will now generate methods that can make it
                  easier to search for objects using arbitrary criteria.  The persistence
                  framework previously only provided support for equality searches, but it is now
                  possible to perform more advanced types of searches, including presence,
                  substring, greater-or-equal, less-or-equal, and approximate matching.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK entry validator to make it possible to reject entries that
                  were missing superior object classes.  This also fixed a bug in the in-memory
                  directory server that made it possible for clients to perform modify operations
                  to remove superior object classes from an entry.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the filter evaluation logic that caused it to return the wrong
                  result for greater-or-equal and less-or-equal filters.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the in-memory directory server that could cause some superior
                  object classes to appear twice in an entry if the superior class was specified
                  after its subordinate class when the entry was added.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the persistence framework that caused it to throw an exception
                  when trying to perform a modify an object that had not been altered.  The code
                  has been updated so that it will now return null (as an alternative to the
                  LDAPResult that would be returned if a modification was actually attempted)
                  rather than throwing an exception.
                  <br><br>
                </li>

                <li>
                  Update the javadoc documentation for controls and extended operations to make
                  the OIDs used for those purposes more visible.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the command-line tool that may be used to interact with the
                  in-memory directory server that made it impossible to run the server with no
                  schema.
                  <br><br>
                </li>

                <li>
                  Updated the access log parsing code to add support for the new
                  intermediateResponsesReturned element that can appear in result messages for
                  operations in which one or more intermediate responses were returned.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF import task to provide support for the new strip trailing
                  spaces option.
                  <br><br>
                </li>

                <li>
                  Added support for the new operation purpose request control, which may be
                  included in any kind of LDAP request to identify the reason for that operation.
                  The log parsing framework has also been updated to provide a mechanism for
                  accessing operation purpose information in server access log messages.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 2.1.0</h3>

              <p>
                The following changes were made between the 2.0.1 and 2.1.0 releases:
              </p>

              <ul>
                <li>
                  Added the ability to easily create a simple memory-based LDAP server that
                  supports a wide range of LDAP functionality (including a number of controls and
                  extended operations).  It may be used as a server for testing or demonstrating
                  directory-enabled applications, and it provides a number of convenience methods
                  for interacting with and verifying the contents of that server.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPTestUtils</tt> class that provides a number of convenience
                  methods that can be usd to help write test cases for directory-enabled
                  applications and make determinations about the content of an LDAP directory
                  server.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPConnection.processOperation</tt> method that can be used to
                  process a generic request without needing to know the type of operation that it
                  represents.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>Schema.getDefaultStandardSchema</tt> method that can be used to
                  obtain a schema object populated with a number of standard attribute type and
                  object class definitions from various RFCs and IETF drafts.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>GenericSASLBindRequest</tt> class that can be used to process
                  any kind of SASL bind request if the caller is capable of properly encoding
                  and decoding request and response credentials.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>PasswordProvider</tt> API which can be used when performing
                  simple bind operations in order to minimize the length of time that the
                  clear-text password remains in memory.  If a password provider is used rather
                  than explicitly including the password in the bind request, then the memory
                  containing that password will be overwritten as soon as the password is no
                  longer needed.  A <tt>ReadFromFilePasswordProvider</tt> implementation of this
                  API is also included in the LDAP SDK, which makes it possible to obtain the
                  password from a file whenever it is needed.
                  <br><br>
                </li>

                <li>
                  Added support for the LDAP don't use copy request control as defined in RFC 6171
                  and can be used to request that only an authoritative directory server be used
                  to process the associated search or compare operation.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>Entry.mergeEntries</tt> method that can be used to create a new
                  entry containing all of the attribute values present in at least one of the
                  provided entries, and a new <tt>Entry.intersectEntries</tt> method that can be
                  used to create a new entry containing only those attribute values present in all
                  of the given entries.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the <tt>LDAPPersister.modify</tt> method that prevented it from
                  including controls in the request sent to the directory server.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could prevent a configured <tt>ReferralConnector</tt> from
                  being used.  In addition, it is now possible to use the
                  <tt>LDAPConnectionOptions</tt> class to configure a referral connector that will
                  be used for all connections created with those options rather than requiring
                  each connection to be explicitly assigned a custom referral connector if one was
                  needed.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>FixedRateBarrier</tt> class to use a much more efficient process
                  for dealing with low operation rates that can consume significantly less CPU.
                  Previously, it would always spin, but it will now try to sleep if there is a
                  long enough interval before the next operation can be processed.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>FailoverServerSet</tt> class to provide an option to re-order
                  the internal list of servers so that if a failover does occur, any unavailable
                  servers are moved to the end of the list so that the server to which the
                  connection was successfully established is now at the top of the list and will
                  be the first server tried for subsequent attempts.  The same behavior is
                  available for failing over between server sets rather than individual servers.
                  Note that the previous behavior of preserving the original order is still
                  available, and will continue to be used unless the server set is explicitly
                  configured to allow re-ordering the list.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to provide better handling for illegal trailing spaces.
                  Previously, such spaces would be simply included in the content being read,
                  which is always the wrong thing to do.  Now, there is an option to either reject
                  entries and change records containing trailing spaces (which is the default) or
                  to silently strip them out.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>AsyncRequestID</tt> class so that it implements the
                  <tt>java.util.concurrent.Future</tt> API.  This can make it easier to wait for
                  and retrieve the response to asynchronous operations requested through the
                  LDAP SDK.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPConnection.processExtendedOperation</tt> methods so that
                  they are more likely to throw an exception in the event that the connection is
                  no longer valid.  Because extended operation responses may often include result
                  codes other than "success" even when the operation completed successfully, and
                  because it is undesirable to throw an exception when the operation completed
                  successfully, the LDAP SDK is more likely to return an <tt>ExtendedResult</tt>
                  object even for an unsuccessful operation in cases where it would have thrown an
                  <tt>LDAPException</tt> for other types of operations.  However, it was
                  previously too hesitant to throw an exception in cases where there clearly was a
                  failure, including when the associated connection was no longer valid, and this
                  could sometimes cause problems.  The LDAP SDK will now throw an exception in
                  cases where the operation was clearly not successful, and particularly in cases
                  where the connection may no longer be valid.
                  <br><br>
                </li>

                <li>
                  Improved the behavior of many of the command-line tools that can be used to
                  issue repeated requests against a directory server (e.g., <tt>searchrate</tt>,
                  <tt>modrate</tt>, etc.) so that they exhibit better behavior in the event that
                  the connection is lost or becomes no longer usable.  In some rare conditions,
                  the previous approach would attempt to re-establish connections which were no
                  longer authenticated, which could lead to failures or unexpected behavior in
                  the operations that had been attempted.
                  <br><br>
                </li>

                <li>
                  Updated the behavior of connections operating in asynchronous mode so that they
                  are less likely to encounter SO_TIMEOUT exceptions (or at least, will encounter
                  them with much less frequency) when connections remain idle for extended periods
                  of time.  These exceptions are harmless and are handled entirely by the LDAP SDK
                  so that the underlying application does not need to deal with them, but having
                  them occur too frequently has been observed to cause unnecessarily high CPU
                  utilization in some client systems.
                  <br><br>
                </li>

                <li>
                  Updated support for the GSSAPI SASL bind request so that it is possible to
                  specify an alternate protocol for use in the Kerberos service principal.  The
                  bind request previously always used a protocol of "ldap", and this is still the
                  default, but it is now possible to request that an alternate protocol be used in
                  the server's service principal.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ldap-debugger</tt> tool so that it can be used for some kinds of
                  SASL authentication.  In addition, the format of the output that the tool
                  generates has been improved, particularly when dealing with binary data such as
                  may be present in control and extended operation values or SASL bind
                  credentials.  In such cases, the hex representation of the binary data may be
                  accompanied by a text representation of any printable ASCII characters contained
                  in that binary data.
                  <br><br>
                </li>

                <li>
                  Added an <tt>LDIFWriter.flush</tt> method, which can be used to flush any
                  buffered LDIF content to disk or the underlying output stream without the need
                  to close the writer.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>SSLUtil</tt> class to provide convenience methods for creating
                  <tt>SSLServerSocketFactory</tt> objects.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPConnectionOptions</tt> class-level documentation to indicate
                  that the auto-reconnect option doesn't apply to connections that are part of a
                  connection pool.  Connections in a connection pool will be closed and replaced
                  rather than attempting to re-establishing the existing connections.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>UnboundIDChangeLogEntry</tt> class which provides access to
                  a number of attributes which are specific to changelog entries included in the
                  UnboundID Directory Server, including the full set of previous and resulting
                  values for attributes altered by the associated operation, as well as the
                  values of other specified key attributes from the target entry.
                  <br><br>
                </li>

                <li>
                  Updated the access log parsing code to add support for the serversAccessed and
                  replicationChangeID elements which may appear in result log messages.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 2.0.1</h3>

              <p>
                The following changes were made between the 2.0.0 and 2.0.1 releases:
              </p>

              <ul>
                <li>
                  Updated the persistence framework to support inheritance.  If a class marked
                  with the <tt>@LDAPObject</tt> annotation type has a superclass which is also
                  annotated, then the annotated fields and methods of the superclass will be used
                  in the course of converting between entries and instances of the subclass.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ValuePattern</tt> class to provide support for back-references,
                  in which it is possible to have a generated substring repeated later in the
                  generated value.  Also, fix a bug in its support for obtaining values from files
                  that could interfere with the ability to use Windows absolute paths containing a
                  drive letter.
                  <br><br>
                </li>

                <li>
                  Updated the formatter used to generate output for tools like searchrate,
                  modrate, and authrate so that they will use a string of "inf" for a numeric
                  value of infinity, and "NaN" for a numeric value of "not a number".  Also,
                  fix a couple of potential conditions that could cause divide by zero
                  errors.
                  <br><br>
                </li>

                <li>
                  Updated the argument parsing support to add a new "argument list" argument type,
                  in which values may themselves be parsed as argument strings, validated with
                  their own argument parser.  Also, updated string arguments to make it possible
                  to use a regular expression to restrict the set of values that may be used for
                  that argument.
                  <br><br>
                </li>

                <li>
                  Fixed a potential bug in the entry validator that could cause it to throw an
                  exception when attempting to parse an entry that does not have all of the
                  superior classes for the object classes it does include.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP connection pool implementation so that it is possible to
                  request that zero connections be initially created, so that the first connection
                  will only be created when the first operation is attempted.
                  <br><br>
                </li>

                <li>
                  Added static <tt>Filter.encodeValue</tt> methods that may be used to properly
                  escape a value for use in the string representation of a search filter.
                  <br><br>
                </li>

                <li>
                  Updated the intermediate response API to add a valueToString method, which may
                  be used to obtain a human-readable representation of the intermediate response
                  value.
                  <br><br>
                </li>

                <li>
                  Improved the quality of debugging information so that it can be more useful in
                  cases in which there may be multiple connections active at the same time.
                  Messages about LDAP communication will include a connection ID and LDAP message
                  ID, and result messages will include the protocol op type.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK jar file manifest to include new attributes with
                  additional metadata about the LDAP SDK build, including the build time and
                  source repository path and revision number.
                  <br><br>
                </li>

                <li>
                  Added support for a new task which may be used to cause the server to reload the
                  set of defined encryption settings definitions.
                  <br><br>
                </li>

                <li>
                  Updated the support for parsing UnboundID server log files to handle timestamps
                  with millisecond accuracy, and to add support the new intermediate response
                  access log message type.
                  <br><br>
                </li>

                <li>
                  Updated the summarize-access-log example tool so that it can differentiate
                  between unindexed searches that were completed successfully and those that were
                  rejected by the server.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK monitor parsing capabilities to support the new index
                  monitor entry type.  Also, update the version monitor entry type to provide
                  methods for accessing version information for several libraries used by the
                  server, and to update the replication summary monitor entry to support the
                  new term "replication backlog" rather than the old and potentially confusing
                  term "missing changes".
                  <br><br>
                </li>

                <li>
                  Added support for an exclude branch request control, which can be used to
                  request that entries at or below one or more base DNs be excluded from search
                  results.
                </li>
              </ul>

              <p></p>


              <h3>Version 2.0.0</h3>

              <p>
                The following changes were made between the 1.1.6 and 2.0.0 releases:
              </p>

              <ul>
                <li>
                  Added a new persistence API which can be used to make it easy to represent LDAP
                  entries as Java objects, and vice-versa.  Java annotation types may be used to
                  mark fields and methods within a class to provide information about the way that
                  instances of that object should be represented in LDAP entries.
                  <br><br>
                </li>

                <li>
                  Added a <tt>generate-source-from-schema</tt> tool that can be used to generate
                  the source code for a Java class based on information contained in a directory
                  server schema.  The generated Java source will have all of the necessary
                  annotations to allow that object to be used in conjunction with the LDAP SDK
                  persistence framework.
                  <br><br>
                </li>

                <li>
                  Added a <tt>generate-schema-from-source</tt> tool that can be used to generate
                  LDAP schema from a Java class configured for use with the LDAP SDK persistence
                  framework.  The generated schema may be added to a directory server to be able to
                  store objects of the specified type in the directory.
                  <br><br>
                </li>

                <li>
                  Added a new listener API which can be used to develop applications which accept
                  connections and manage communication with LDAP clients.  It may be used to help
                  develop applications which support interaction with LDAP clients.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>ldap-debugger</tt> tool which uses the listener API and other
                  components of the LDAP SDK to intercept communication from LDAP clients and
                  write details of the LDAP communication to standard output or a specified log
                  file.  The received LDAP requests will then be forwarded on to a target directory
                  server and any responses returned will be decoded and written to the same
                  location as the decoded requests before the responses are returned to the client.
                  This tool acts as a simple LDAP proxy server that can be used to help better
                  understand exactly what communication occurs between an LDAP client and server.
                  <br><br>
                </li>

                <li>
                  Added new argument types, including a BooleanValueArgument (in which the
                  provided value must be either "true" or "false", which is more useful in some
                  cases than the BooleanArgument in which the Boolean value is inferred based on
                  whether the argument was provided), a DurationArgument (in which the value
                  contains both an integer portion and a time unit, like "50ms", to indicate a
                  length of time), and a ScopeArgument (in which the value should represent an LDAP
                  search scope).
                  <br><br>
                </li>

                <li>
                  Updated the LDAP command-line tool interface to make it possible to specify the
                  format to use for the Java key store and trust store files.  The default
                  format will be JKS, but you can indicate that an alternate format (e.g., JCEKS
                  or PKCS12) if desired.
                  <br><br>
                </li>

                <li>
                  Updated the support for the LDAP assertion control to add a new <tt>generate</tt>
                  convenience method that can be used to easily generate an assertion request
                  control from some or all of the attributes in a provided entry.  This can be
                  used when updating an entry to help ensure that it has not been altered by
                  something else since it was last read.
                  <br><br>
                </li>

                <li>
                  Updated the support for the FileArgument class in which allows you to specify
                  the base directory to use for relative paths.  If no relative base path is
                  defined, then relative paths will be relative to the current working directory
                  (which has always been the case), but if a relative base path is defined, then
                  any relative paths will be relative to that base directory.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could cause problems when attempting to process operations which
                  return one or more intermediate response messages on a connection operating in
                  synchronous mode.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP join control support to include the ability to use the reverse
                  DN join type which has recently been added to the UnboundID Directory Server.
                  <br><br>
                </li>

                <li>
                  Added support for Java-based and Groovy-scripted third-party tasks that will be
                  supported in an upcoming version of the UnboundID Directory Server.
                  <br><br>
                </li>

                <li>
                  Added support for get a server ID request control, get server ID response
                  control, and route to server request control, which may be used in an upcoming
                  version of the UnboundID Directory Server and/or Directory Proxy Server to
                  retrieve information about which server was used to process a request, and to
                  request that an operation be processed by a specific server.
                  <br><br>
                </li>

                <li>
                  Added support for a get changelog batch extended operation which will be
                  supported in an upcoming version of the UnboundID Directory Server in order to
                  retrieve a set of changes processed within the server.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 1.1.6</h3>

              <p>
                The following changes were made between the 1.1.5 and 1.1.6 releases:
              </p>

              <ul>
                <li>
                  Fixed an error in the documentation for the ContentSyncRequestControl that
                  indicated a response timeout of -1 should be used instead of the correct
                  recommendation of 0.  A value of 0 indicates that no timeout should be used,
                  while -1 indicates that the connection-level timeout (5 minutes by default)
                  should be used.
                  <br><br>
                </li>

                <li>
                  Fixed the way that RDNs are created when decoding a DN from a string.
                  Previously, RDNs created in this way were treated in a way that could cause
                  extra spaces to be removed from their string representation.  While the resulting
                  RDN was technically equivalent to the expected version, the user-provided string
                  representation should have been retained.
                  <br><br>
                </li>

                <li>
                  Updated the source code for the Android LDAP client to match the 1.1 version
                  published in the Android market.
                  <br><br>
                </li>
              </ul>


              <h3>Version 1.1.5</h3>

              <p>
                The following changes were made between the 1.1.4 and 1.1.5 releases:
              </p>

              <ul>
                <li>
                  Added support for the content synchronization operation as defined in RFC 4533,
                  including the various controls and the intermediate response needed to interact
                  with servers supporting this feature.
                  <br><br>
                </li>

                <li>
                  Fixed a couple of bugs in the way that SSL handshaking is performed to make it
                  more robust, particularly when used over higher-latency network links.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could prevent an unbind request from being sent to the server
                  when closing a connection that had previously been closed and re-established.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 1.1.4</h3>

              <p>
                The following changes were made between the 1.1.3 and 1.1.4 releases:
              </p>

              <ul>
                <li>
                  Fixed a bug in the way that the LDAP SDK performed SSL or StartTLS negotiation
                  when using synchronous mode.  As a result of this bug, a race condition created a
                  condition in which the connection could be terminated with an error if any part
                  of the negotiation process took longer than 50 milliseconds.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>search-and-mod-rate</tt> tool that can be used to perform
                  searches as quickly as possible while also modifying each entry returned from
                  those searches.
                  <br><br>
                </li>

                <li>
                  Added a new Launcher class that can be used to invoke the various command-line
                  utilities without needing to use the associated shell scripts.  This is primarily
                  a convenience that makes it possible to use the tools when only the LDAP SDK jar
                  file is available.  The tools can be invoked using a command like:
                  <blockquote>
                    <tt>java -jar unboundid-ldapsdk.jar </tt><i>{tool-name} {tool-args}</i>
                  </blockquote>
                  <br><br>
                </li>

                <li>
                  Updated the ldapsearch tool to add the ability to perform the same search
                  multiple times using a specified interval.  This can be useful, for example, to
                  repeatedly retrieve a server monitor entry at regular intervals.
                  <br><br>
                </li>

                <li>
                  Updated the ldapsearch tool to add a terse mode that can be used to minimize the
                  output that it generates to include only minimal content.  It will exclude the
                  connect message, and entry and reference counts.  Further, all such messages
                  written in non-terse mode will be prefixed with "#" characters so that the entire
                  output will be valid LDIF.
                  <br><br>
                </li>

                <li>
                  Updated the traditional and thread-local connection pool implementations to
                  provide the ability to define the minimum length of time that should pass between
                  connection closures because they have been established for longer than the
                  maximum connection age.  This can help avoid cases in which a large number of
                  connections are closed and re-established in a short period of time.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK to provide a more useful exception in the event that the
                  connection is terminated as a result of an error encountered while trying to read
                  a response from the server.
                  <br><br>
                </li>

                <li>
                  Improved the searchrate, modrate, and authrate tools so that they are better able
                  to handle the case in which the connection to the server is lost or the server
                  becomes unavailable.  The tools will attempt to re-establish the connections
                  when the server again becomes available.
                  <br><br>
                </li>

                <li>
                  Updated several parts of the LDAP SDK to reduce the amount of memory allocation
                  performed and the amount of garbage created during processing.
                  <br><br>
                </li>

                <li>
                  Added a missing space between the numeric value and name in the string
                  representation of a result code.
                  <br><br>
                </li>

                <li>
                  Added support for a new dump DB details task which can be used to cause the
                  UnboundID Directory Server to write a summary of the contents of the databases in
                  a JE backend.
                  <br><br>
                </li>

                <li>
                  Added support for a new administrative alert task which can be used to cause the
                  UnboundID Directory Server to generate an arbitrary administrative alert and/or
                  to alter the set of degraded and unavailable alert types.
                  <br><br>
                </li>

                <li>
                  Improved support for replication server monitor entries to provide the ability to
                  parse additional replication server content, including the last known status for
                  the server, the last successful connect time, the last failed attempt time, and
                  the number of failed connection attempts.
                  <br><br>
                </li>

                <li>
                  Updated the support for the UnboundID work queue monitor entry to include access
                  to the recent-average-queue-size and current-worker-thread-percent-busy
                  attributes.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 1.1.3</h3>

              <p>
                The following changes were made between the 1.1.2 and 1.1.3 releases:
              </p>

              <ul>
                <li>
                  Added support for LDAP transactions as defined in RFC 5805.  This includes
                  support for the start and end transaction extended requests and results, the
                  transaction specification request control, and the aborted transaction
                  unsolicited notification.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPConnection.getActiveOperationCount</tt> method, which can be
                  used to obtain the number of operations that have been started but not yet
                  completed on that connection.  This will only be valid for connections that are
                  established and not operating in synchronous mode.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>searchForEntry</tt> method to the <tt>LDAPInterface</tt>
                  interface (and therefore for individual connections and connection pools) that
                  can be used to perform a search expected to return a single entry in a manner
                  that is more convenient than other search methods.
                  <br><br>
                </li>

                <li>
                  Added a number of convenience methods that make it easier to manipulate the
                  content of an add request request like an entry.
                  <br><br>
                </li>

                <li>
                  Updated the schema parsing code to be more lenient when attempting to parse
                  definitions which violate the specification.  In particular, it will now accept
                  OIDs surrounded in single quotes or OID lists not followed by spaces.  Even
                  though these are not allowed according to the LDAP specification, Active
                  Directory generates schema elements exhibiting these problems.  With these
                  changes, the LDAP SDK can now parse Active Directory schema elements.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>CommandLineTool</tt> API to provide methods for getting access to
                  the output and error streams to allow for more complex use than simply printing
                  messages to the terminal.
                  <br><br>
                </li>

                <li>
                  Fixed a potential bug in the value normalization code which could cause a string
                  index out of range exception when attempting to normalize a value containing only
                  non-ASCII space characters.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the <tt>EntryValidator</tt> class that could cause it to throw a
                  null pointer exception when attempting to process an entry that does not have any
                  object classes.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in which a debug message for an LDIF read is inadvertently written as
                  if it were an LDIF write.
                  <br><br>
                </li>

                <li>
                  Updated the searchrate tool so that it provides an asynchronous mode that can be
                  used to have multiple outstanding requests on a single connection.  When
                  operating in this mode, it is necessary to use either the existing
                  "<tt>--ratePerSecond</tt>" or the new "<tt>--maxOutstandingRequest</tt>" argument
                  to restrict the number of concurrent outstanding requests.  The total number of
                  connections to establish will still be controlled by the number of client
                  threads.
                  <br><br>
                </li>

                <li>
                  Updated the source for the Android LDAP client to reflect the code used for the
                  1.0 release available in the Android Market.
                  <br><br>
                </li>

                <li>
                  Added a new example tool that uses the stream directory values extended operation
                  to dump a list of the DNs of all entries located at or below a specified base DN.
                  <br><br>
                </li>

                <li>
                  Updated the system info monitor entry to add support for the new userName,
                  jvmPID, systemProperty, and environmentVariable attributes.
                  <br><br>
                </li>

                <li>
                  Updated the join request control to support  the new "contains" join rule, which
                  makes it possible to have a generated filter using a subAny substring filter
                  rather than an equality filter.
                  <br><br>
                </li>

                <li>
                  Updated the access log parsing code to add support for parsing forward
                  information contained in result messages, and for parsing client certificate log
                  messages.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 1.1.2</h3>

              <p>
                The following changes were made between the 1.1.1 and 1.1.2 releases:
              </p>

              <ul>
                <li>
                  Improved the behavior of the <tt>AttributeTypeDefinition</tt> class so that it
                  can better deal with attribute type definitions whose syntax element contains
                  the optional minimum upper bound component.  The <tt>getSyntaxOID()</tt> method
                  still returns the complete syntax OID (including the minimum upper bound, if
                  present), but a new <tt>getBaseSyntaxOID()</tt> method has been added that can
                  be used to obtain the syntax OID without the minimum upper bound, and a
                  <tt>getSyntaxMinimumUpperBound()</tt> method has been added that can be used to
                  obtain the minimum upper bound (or -1 if no minimum upper bound is defined).
                  In addition, the <tt>Schema.getAttributeSyntax</tt> method has been updated so
                  that it will ignore any minimum upper bound portion that may be included in the
                  provided OID.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>Entry.diff</tt> method that makes it possible to indicate
                  whether you want the resulting modifications to be reversible.  If the
                  modifications should be reversible (which was always the case in the past), then
                  the resulting list will contain only modifications with the ADD and DELETE
                  modification types, which could be played in reverse to recreate the source
                  entry from the target entry, but is more likely to fail if the entry has been
                  altered in some way since attempting to apply the modifications.  If the
                  modifications should not be reversible, then they will all use the REPLACE
                  modification type, which is not reversible but more likely to succeed even if
                  the entry has been altered.
                  <br><br>
                </li>

                <li>
                  Improved the way that the LDAP SDK generates string representations of DNs and
                  RDNs.  When creating a DN from a set of RDNs (or from an RDN and parent DN), it
                  will now use the string representations of the provided RDNs (and optionally DN)
                  rather than reconstructing the entire string representation.  This can help
                  preserve a user-supplied string representation if you do something like
                  "<tt>new DN(existingDN.getRDNs())</tt>", particularly if the existing DN had
                  characters that may be escaped but don't have to be.  In addition, a new
                  <tt>toMinimallyEncodedString</tt> method has been added to both the <tt>DN</tt>
                  and <tt>RDN</tt> classes which will construct a string representation of the
                  DN or RDN with a minimal set of escaped characters (e.g., non-ASCII characters
                  and non-printable ASCII characters will not be escaped).
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the LDIF reader in which it would refuse to decode an entry
                  containing only a DN but no attributes (e.g., like might be the case with a
                  search result entry where the requested attribute set contained only "1.1").
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the way that LDAP URLs were generated for URLs containing the
                  subordinate subtree search scope.  Previously, the string representation of
                  such URLs would have a scope of "subord" instead of the correct "subordinates"
                  as specified in draft-sermersheim-ldap-subordinate-scope.  It will still accept
                  URLs containing "subord", but will no longer generate them.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the <tt>LDAPCommandLineTool</tt> class that prevented the
                  <tt>--bindPasswordFile</tt> argument from being used in conjunction with the
                  <tt>--bindDN</tt> argument.  Due to an oversight, <tt>--bindPasswordFile</tt>
                  could only be used when performing SASL authentication when no bind DN was
                  given.
                  <br><br>
                </li>

                <li>
                  Added support for a new extended schema info request control, which can be
                  included in a search request targeting the schema subentry to cause it to
                  return extended information (including elements like X-SCHEMA-FILE and
                  X-READ-ONLY) in the schema elements that are returned.
                  <br><br>
                </li>

                <li>
                  Updated the UnboundID work queue monitor entry to include support for the new
                  num-busy-worker-threads, average-operation-queue-time-millis, and
                  recent-operation-queue-time-millis attributes.
                  <br><br>
                </li>

                <li>
                  Updated the access log parsing code to provide the ability to access the new
                  qtime element if it is present.
                  <br><br>
                </li>

                <li>
                  Added support for the search task, which can be used to perform an internal
                  search in the UnboundID Directory Server and write the results to an LDIF file
                  on the server filesystem.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 1.1.1</h3>

              <p>
                The following changes were made between the 1.1.0 and 1.1.1 releases:
              </p>

              <ul>
                <li>
                  Updated the searchrate, modrate, and authrate tools to change the way that they
                  signal the processing threads to start.  The previous approach could lead to
                  resource starvation causing the system to run with 100% CPU utilization for a
                  period of time.
                  <br><br>
                </li>

                <li>
                  Improved the accuracy of the searchrate, modrate, and authrate tools.  The
                  overall rates were accurate, but the recent rates could be slightly off.
                  In addition, the recent and overall rates for the first interval often didn't
                  match up.  These problems have been resolved.
                  <br><br>
                </li>

                <li>
                  Updated the searchrate and modrate tools to support the use of the proxied
                  authorization v2 control.  The authorization ID may be specified as a value
                  pattern, which makes it possible to specify a range of alternate authorization
                  identities.
                  <br><br>
                </li>

                <li>
                  Added <tt>isClosed</tt> methods to the connection pool implementations which can
                  be used to determine whether the connection pool has been closed.
                  <br><br>
                </li>

                <li>
                  Updated the value pattern implementation to provide support for reading values
                  from files.  Files should be referenced by URL, and it supports both local files
                  (using a URL like "file:///path/to/file") and remote files via HTTP (using a URL
                  like "http://server.example.com/path/to/file"), and that URL should be enclosed
                  in square brackets.  For example, a value pattern of "[file:///tmp/filters.txt]"
                  will cause the individual lines of the file "/tmp/filters.txt" to be read and
                  randomly substituted for that portion of the value pattern.
                  <br><br>
                </li>

                <li>
                  Updated the searchrate, modrate, and authrate tools so that they provide the
                  ability to display information about the result codes for operations that don't
                  complete successfully.  If any errors are encountered during processing, then
                  the result codes for those failures will be displayed along with the number of
                  times that result was returned.  The "--suppressErrorResultCodes" argument may
                  be provided to disable this capability.
                  <br><br>
                </li>

                <li>
                  Improved the behavior exhibited by the LDAP SDK when interacting with a server
                  that is completely unresponsive (e.g., as in the case in which the network cable
                  has been removed, or the server process has been halted with a command like
                  pstop).  This includes improved support for honoring any configured connect
                  timeout, even for SSL-based connections which did not previously support it.
                  Bind and extended requests can now have an explicit timeout assigned to them,
                  like was already possible for all other types of requests.  When duplicating a
                  request, any assigned timeout is also duplicated along with the other details of
                  that request.
                  <br><br>
                </li>

                <li>
                  Improved the error message in the exception thrown if a client-side timeout
                  occurs.  The updated message now includes the type of operation and the length
                  of time the client waited before considering the operation to have timed out.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>RootDSE</tt> and <tt>Schema</tt> classes so that their
                  constructors which take <tt>Entry</tt> objects are made public, since they can
                  be useful in code outside of the LDAP SDK.
                  <br><br>
                </li>

                <li>
                  Made the <tt>SearchRequest.getSearchResultListener</tt> method public so that
                  code outside of the LDAP SDK can determine whether a search result listener has
                  been configured for the search.
                  <br><br>
                </li>

                <li>
                  Updated the message properties files to use better format strings for messages
                  containing numbers.  Previously, large numbers could be formatted awkwardly
                  (e.g., including commas as grouping separators, like "12,345" instead of just
                  "12345").
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK so that the thread-local <tt>ASN1Buffer</tt> object used for
                  connections is made static rather than per-instance.  This can dramatically
                  reduce the amount of memory consumed for applications with large numbers of
                  connections that can be used by multiple threads.
                  <br><br>
                </li>

                <li>
                  Added methods that can be used to determine whether an attribute value needs to
                  be base64-encoded when represented in LDIF.  Also, updated the
                  <tt>Attribute.toString</tt> methods so that values will be base64-encoded in
                  that string representation if they should be base64-encoded in LDIF.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK so that it allows working with ASN.1 elements whose values
                  are contained in a portion of a byte array rather than always requiring them to
                  be the full array.  The sequence and set parsing code now takes advantage of
                  this, and elements decoded from them no longer require allocation of new arrays
                  for holding their values.
                  <br><br>
                </li>

                <li>
                  Improved support for client-side use of matching rules.  All matching rule
                  classes now provide the ability to retrieve the name and OID of the equality,
                  ordering, and substring matching rules that they implement.  The
                  <tt>MatchingRule</tt> class now provides the ability to select a matching rule
                  instance from the OID of the desired matching rule.  The <tt>EntrySorter</tt>
                  class has been updated so that if a sort key contains a matching rule ID, then
                  it will be used to select the matching rule to use for the client-side sorting.
                  <br><br>
                </li>

                <li>
                  Updated the schema parsing code so that when reading schema definitions from
                  LDAP or LDIF, any leading and trailing spaces will be trimmed before attempting
                  to parse the elements.  Technically, leading and trailing spaces are illegal
                  and should not be present in such definitions, but some servers are lenient and
                  allow them so the LDAP SDK should attempt to accommodate such definitions.  It
                  will still never generate schema element definitions containing leading or
                  trailing spaces.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK so that any debug messages or string representations of
                  exception stack traces that it generates will include the revision number of the
                  source repository from which the LDAP SDK was built.  This can help make it
                  easier to troubleshoot problems, since it is easier to identify the version of
                  the source used to generate the LDAP SDK build being used.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that can cause problems for clients operating in the default
                  asynchronous mode if the server sends response messages broken up into small
                  pieces rather than all a once.  In particular, if a response message contains
                  only the BER type, or only the BER type and a portion (but not all of) the
                  length, then the LDAP SDK may not be able to properly decode the full message if
                  there is a delay between the first and second packets with portions of the type
                  and length.  If this problem occurs, then the client would terminate the
                  connection to the server.
                  <br><br>
                </li>

                <li>
                  Updated the access log parsing classes to add support for the FORWARD-FAILED
                  messages which may be logged by the UnboundID Directory Proxy Server.
                  <br><br>
                </li>

                <li>
                  Added support for the administrative operation request control that may be
                  included in client requests sent to the UnboundID Directory Server to indicate
                  that the associated operation is administrative in nature rather than part of a
                  normal client request.
                  <br><br>
                </li>

                <li>
                  Updated the monitor entry parsing code to provide support for the
                  num-operations-in-progress and num-persistent-searches-in-progress attributes
                  exposed in the active operations monitor entry.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 1.1.0</h3>

              <p>
                The following changes were made between the 1.0.0 and 1.1.0 releases:
              </p>

              <ul>
                <li>
                  A new license has been added to the UnboundID LDAP SDK for Java.  In addition
                  to the previous GNU General Public License (GPLv2) and UnboundID LDAP SDK Free
                  Use License, the LDAP SDK is now available under the terms of the GNU Lesser
                  General Public License (LGPLv2.1).  This is an OSI-approved open source license
                  which allows the SDK to be used in a very wide range of applications (including
                  proprietary and commercial applications).
                  <br><br>
                </li>

                <li>
                  The LDAP SDK is now available in a SourceForge project at
                  <a href="http://sourceforge.net/projects/ldap-sdk/">http://sourceforge.net/projects/ldap-sdk/</a>.
                  This includes a subversion repository containing the source code, as well as a
                  new set of project mailing lists and a forum.
                  <br><br>
                </li>

                <li>
                  The LDAP SDK is now available for use with Maven.  It is available at
                  <a href="http://ldap-sdk.sourceforge.net/maven/">http://ldap-sdk.sourceforge.net/maven/</a>
                  with a groupId of "com.unboundid", an artifactId of "unboundid-ldapsdk", and a
                  version of "1.1.0".  In the near future, it will also be included in the Central
                  Repository.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>LDAPCommandLineTool</tt> class to provide support for handling
                  connections to multiple servers.  If this capability is enabled, then it will
                  allow multiple occurrences of the "--hostname" and "--port" arguments to be
                  provided.  If multiple addresses and ports are provided, then the same number of
                  each must be given, and a RoundRobinServerSet will be used when creating
                  connections so that each subsequent connection will be established to the next
                  server in the list, looping back to the beginning of the list when all servers
                  have been used.  The searchrate, modrate, and authrate tools have been updated
                  to take advantage of this capability, so they may now be used to process
                  operations concurrently against multiple servers.
                  <br><br>
                </li>

                <li>
                  Updated the build process so that the manifest for the generated jar file
                  contains an appropriate set of attributes to make the LDAP SDK more suitable for
                  use in an OSGi environment.  The added attributes include:  Bundle-Name,
                  Bundle-Version, Bundle-Vendor, Bundle-Copyright, Bundle-ManifestVersion,
                  Bundle-RequiredExecutionEnvironment, Bundle-Category, Bundle-DocURL, and
                  Export-Package.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>ResultCode.isConnectionUsable()</tt> method to be more
                  conservative so that it is more likely to return a false positive (i.e., the
                  connection will be considered unusable when it may still be usable) than a false
                  negative (the connection will be considered usable when it that is not the
                  case).  Also, non-static versions of the <tt>isClientSideResultCode()</tt> and
                  <tt>isConnectionUsable()</tt> methods have been added for convenience.
                  <br><br>
                </li>

                <li>
                  Added <tt>finalize()</tt> methods for the connection pool implementations so
                  that the pool will be closed when it is reaped by the garbage collector if that
                  was not already done.
                  <br><br>
                </li>

                <li>
                  Added support to make it easier to migrate applications written to use the
                  Netscape Directory SDK for Java to the UnboundID LDAP SDK for Java.  This
                  includes wrappers for a number of commonly-used classes in the Netscape API so
                  that in many cases it may be sufficient to simply change the import statements
                  of the application so that they reference
                  "com.unboundid.ldap.sdk.migrate.ldapjdk" instead of "netscape.ldap".  This is
                  not a complete re-implementation of the Netscape API (e.g., it does not directly
                  support applications written to use asynchronous operations), but in the common
                  case it should help significantly reduce the code change required to migrate an
                  application from the Netscape API to the UnboundID LDAP SDK for Java.
                  <br><br>
                </li>

                <li>
                  Added support to make it easier to migrate applications written to use the Java
                  Naming and Directory Interface (JNDI) to the UnboundID LDAP SDK for Java, or to
                  allow applications which use functionality provided by both APIs concurrently.
                  A new JNDIConverter class has been added which provides support for converting
                  between corresponding JNDI and LDAP SDK implementations of common data
                  structures, including attributes, controls, extended requests and responses,
                  modifications, and search result entries.
                  <br><br>
                </li>

                <li>
                  Added a new "use schema" LDAP connection option which can be used to cause
                  operations on the connection to make use of schema information when reading
                  data from the directory server.  In particular, the schema will be used to
                  select the appropriate matching rule for each attribute included in search
                  result entries.  The <tt>Attribute</tt> class has been updated to provide new
                  constructors which take <tt>Schema</tt> objects that allow that schema to be
                  used to select the appropriate matching rule for that attribute.
                  <br><br>
                </li>

                <li>
                  Added a set of <tt>Attribute.nameIsValid</tt> methods which can be used to
                  determine whether a provided string is a valid attribute name.
                  <br><br>
                </li>

                <li>
                  Added additional <tt>Attribute.hasValue</tt> and
                  <tt>Entry.hasAttributeValue</tt> methods which allow an alternate matching rule
                  to be provided which will be used when making the determination rather than the
                  matching rule with which that attribute type is associated.
                  <br><br>
                </li>

                <li>
                  Added support for the case-ignore list equality and substring matching rules,
                  as used by the postal address syntax.
                  <br><br>
                </li>

                <li>
                  Updated the searchrate, modrate, and authrate tools to include new command-line
                  options.  The "<tt>--timestampFormat</tt>" argument may be used to indicate
                  whether timestamps should be included in the output, and if so what format
                  should be used (either the time only or both the date and the time).  The
                  "<tt>--warmUpIntervals</tt>" argument may be used to indicate that the tool
                  should be allowed to run for a specified number of intervals before beginning
                  overall statistics collection to allow the client and the server to warm up.
                </li>
              </ul>

              <p></p>


              <h3>Version 1.0.0</h3>

              <p>
                The following changes were made between the 0.9.10 and 1.0.0 releases:
              </p>

              <ul>
                <li>
                  Updated the code used to read server responses so that it uses a result code of
                  "server down" rather than "protocol error" whenever an I/O error occurs while
                  reading the response.
                  <br><br>
                </li>

                <li>
                  Added support for the permissive modify control, which may be used to request
                  that the directory server accept modify requests which attempt to add an
                  attribute value that already exists in the target entry, or to remove an
                  attribute value which does not exist in the target entry.
                  <br><br>
                </li>

                <li>
                  Updated the code used to parse schema elements to be more lenient and
                  standards-compliant when handling optional spaces in definitions.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>LDAPThreadLocalConnectionPool</tt> class, which is very similar
                  to the existing <tt>LDAPConnectionPool</tt> class, except that it uses a
                  thread-local mechanism to maintain a separate connection for each client thread
                  that attempts to communicate with the server.  This can help eliminate some
                  thread contention, and can help avoid the need to define an explicit size for
                  the pool, since it will have as many connections as threads attempting to use
                  the pool.
                  <br><br>
                </li>

                <li>
                  Added the ability to create a <tt>Schema</tt> object by reading schema
                  definitions from one or more LDIF files.  It was previously only possible to
                  read schema information from a directory server over LDAP.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to provide the ability to reject entries containing
                  duplicate values for the same attribute.  Previously, if an entry had multiple
                  occurrences of the same value for the same attribute, the LDIF reader would
                  simply silently ignore the duplicate values.  This is still the default
                  behavior, but it is now possible to configure the LDIF reader to reject
                  entries with duplicate attribute values.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to provide the ability to use schema information when
                  reading entries and change records.  This can be used to help better handle
                  treatment of different values which might have otherwise been considered
                  duplicates using the default case-ignore string matching rule (e.g., attributes
                  that should use case-exact matching and have values that differ only in
                  capitalization).
                  <br><br>
                </li>

                <li>
                  Updated the validate-ldif tool provided with the LDAP SDK so that it offers the
                  ability to use schema definitions read from files rather than over LDAP (so that
                  it can be used in a completely offline manner).  It will also now reject entries
                  with duplicate attribute values by default, but provides an option to ignore such
                  errors.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>EntryValidator</tt> class so that it properly handles entries
                  with the <tt>extensibleObject</tt> object class.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could prevent LDAP connection statistics from being updated for
                  asynchronous search operations.
                  <br><br>
                </li>

                <li>
                  Added convenience methods to the <tt>Attribute</tt> and <tt>Entry</tt> classes
                  which may be used to retrieve attribute values as DNs.
                  <br><br>
                </li>

                <li>
                  Added convenience methods to the <tt>DN</tt> and <tt>Entry</tt> classes which
                  may be used to determine whether a given DN or entry is within the range of a
                  specified search base and scope.
                  <br><br>
                </li>

                <li>
                  Added an example tool that may be used to analyze and summarize the contents of
                  one or more UnboundID Directory Server access logs.  A number of useful items
                  are included, including information about the number, rate, and duration of
                  operations processed, the most common result codes returned, and the most common
                  types of filters used.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 0.9.10</h3>

              <p>
                The following changes were made between the 0.9.9 and 0.9.10 releases:
              </p>

              <ul>
                <li>
                  Updated the schema parsing code so that schema elements will be held in ordered
                  maps so that they can be accessed in the order they were returned by the server.
                  This can help ensure that order-based dependencies (e.g., an object class which
                  inherits from a superior class) may be properly maintained if they are returned
                  from the server in that order.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the schema parsing code that incorrectly selected a generalized
                  time matching rule when it should have chosen an integer matching rule.  This
                  could cause the validate-ldif tool to incorrectly report syntax violations for
                  data using an integer syntax, along with other failures for code relying on this
                  capability in the LDAP SDK.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK to add an option to operate in synchronous mode.  For
                  connections which do not need to invoke asynchronous operations and which will
                  not be used concurrently by multiple threads, then the application can use the
                  <tt>LDAPConnectionOptions.setUseSynchronousMode(true)</tt> method to enable
                  synchronous mode for the connection options before connecting to the directory
                  server.  When in this mode, responses will be read by the same thread which sent
                  the request, rather than by a separate reader thread.  This can significantly
                  improve performance when communicating with the server.
                  <br><br>
                  Other performance improvements have also been made in the LDAP SDK which may
                  benefit both the default asynchronous mode as well as the new synchronous
                  mode.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could cause intermittent failures with a "server down" result
                  in which the connection was terminated.  The problem would be triggered if the
                  client could not read an entire LDAP message at once and there was a significant
                  delay of greater than 50 milliseconds when attempting to read additional data as
                  part of the message.  This could cause the SDK to attempt to read the middle of
                  an LDAP message as if it were the beginning, which would cause a decoding
                  failure that would trigger the SDK to terminate the connection.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the ObjectClassDefinition class that caused it to ignore the
                  recursive argument.  Previously, it would always recursively get all superior
                  classes even if the recursive argument was set to false.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that prevented entries returned by automatically following a
                  referral from being included in the search result entry count.
                  <br><br>
                </li>

                <li>
                  Updated the LDAPSearch example tool to include an option for following referrals
                  encountered during processing.
                  <br><br>
                </li>
              </ul>

              <p></p>


              <h3>Version 0.9.9</h3>

              <p>
                The following changes were made between the 0.9.8 and 0.9.9 releases:
              </p>

              <ul>
                <li>
                  Updated the javadoc documentation to make the EntrySource API (and in particular
                  the LDAPEntrySource class) more visible.  References to LDAPEntrySource are now
                  present in the class-level documentation for the SearchRequest class and
                  SearchResultListener interface.
                  <br><br>
                </li>

                <li>
                  Created a new SearchResultReferenceEntrySourceException as a subclass of
                  EntrySourceException that will be thrown if a search result reference is returned
                  when using the LDAPEntrySource class.  This makes it easier to access the
                  contents of any search result references returned through this API.
                  <br><br>
                </li>

                <li>
                  Added LDAPException.hasControl methods that mirror the LDAPResult.hasControl
                  methods and provide additional convenience when working with controls in results
                  for operations that returned with a non-successful result.
                  <br><br>
                </li>

                <li>
                  Placed a maximum size on the blocking queue used to hold search result entries
                  and references while waiting for them to be processed.  This can help prevent
                  problems in which a client could be potentially overwhelmed or required to use a
                  lot of memory for a search that returns a large number of entries when a search
                  result listener is used and the client cannot process entries as quickly as they
                  are returned.  If the queue becomes full, then the LDAP SDK will push back
                  against the directory server so that it will only be able to send entries as
                  fast as the client can consume them.
                  <br><br>
                </li>

                <li>
                  Added the ability to control automatic referral following at a per-request level.
                  By default, the LDAP SDK will still use the behavior defined at the connection
                  level, but it is now possible to override that on a per-request level if desired.
                  <br><br>
                </li>

                <li>
                  Added the ability to include a call stack trace in debug log messages.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP connection pool implementation to ensure that the auto-reconnect
                  connection option is ignored for connections which are part of a connection pool.
                  In some cases, the use of this option for pooled connections could cause
                  connections to be re-established when the pool had attempted to close them.
                  <br><br>
                </li>

                <li>
                  Added the ability to assign user-friendly names to connections and connection
                  pools.  This can be helpful in applications which maintain multiple connections
                  or connection pools for different purposes.  The name of the connection or
                  connection pool can be queried via code and will also appear in the names of the
                  threads used to read responses from the directory server for those connections so
                  that they will be more visible in thread stack traces.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the LDIF writer that could cause an extra space to be added to the
                  beginning of the last line of a multi-line comment.
                  <br><br>
                </li>

                <li>
                  Updated LDAP connection pool implementations so that releasing a defunct
                  connection will not automatically cause a new connection to be created to replace
                  it if the pool already has the maximum number of available connections.
                  Previously, the connection pool could have created and then immediately closed
                  a connection in that scenario.
                  <br><br>
                </li>

                <li>
                  Added additional connection pool statistics that can be used to help distinguish
                  between differences in behavior when a connection was successfully checked out of
                  the pool.  It is now possible to differentiate between cases in which an
                  existing connection was returned without any wait, an existing connection was
                  returned after waiting for it to become available, or a new connection was
                  created to return to the client.  This can help make information available for
                  applications to understand whether their connection pools are sized
                  appropriately.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK to change the manner in which a connection is closed if it
                  is done by the Java finalizer (which would presumably only occur if a connection
                  was leaked by the application using it).  If the connection is part of a
                  connection pool, then it will now simply be terminated rather than released back
                  to the pool as a defunct connection.
                  <br><br>
                </li>

                <li>
                  Made the LDAPRequest.getLastMessageID() method public.  This was previously used
                  internally, but may be useful when trying to cancel a synchronous request from a
                  different thread.
                  <br><br>
                </li>

                <li>
                  Added the ability to control the send and receive buffer sizes for sockets used
                  when communicating with the directory server.
                  <br><br>
                </li>

                <li>
                  Updated the LDAP SDK to provide better information to clients in the event that a
                  connection is terminated because of an unrecoverable error encountered while
                  reading responses from the directory server.  This information was previously
                  only available through the debugging framework, but the LDAP SDK will now attempt
                  to generate a response to provide to the client with information about the
                  failure so that it will be available when debugging isn't enabled.
                  <br><br>
                </li>

                <li>
                  Added a static Attribute.getBaseName(String) method that may be used to retrieve
                  the base name without any attribute options for a specified attribute
                  description.
                  <br><br>
                </li>

                <li>
                  Updated the format of LDAP SDK debug messages to make them more consistent and
                  easier to parse.
                  <br><br>
                </li>

                <li>
                  Added the ability to capture a thread stack trace at the time that an attempt is
                  made to establish a connection.  This can be useful for debugging purposes,
                  especially for tracking down the source of a leaked connection.
                  <br><br>
                </li>

                <li>
                  Added the ability to update an Entry object with one or more modifications.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could prevent the LDAP SDK from correctly following referrals
                  for search operations.
                  <br><br>
                </li>

                <li>
                  Added support for the unsolicited cancel response control, which may be included
                  in responses the that UnboundID Directory Server sends for requests that are
                  canceled by the server for some reason other than being canceled by the client
                  (e.g., if the server is shutting down or the client connection is being
                  terminated and all outstanding operations for the client are being canceled).
                  <br><br>
                </li>

                <li>
                  Added support for the stream values extended request and intermediate response.
                  This request may be used to retrieve information about entry DNs or attribute
                  values for a specified set of entries in the server.
                  <br><br>
                </li>

                <li>
                  Added the ability to parse alert entries as included in the administrative alert
                  backend of the UnboundID Directory Server.
                  <br><br>
                </li>

                <li>
                  Updated the general monitor entry to add support for the degraded-alert-type,
                  unavailable-alert-type, instanceName, and startupID attributes.
                  <br><br>
                </li>

                <li>
                  Updated the active operations monitor entry to add support for the list of
                  active persistent searches.
                  <br><br>
                </li>

                <li>
                  Updated the processing time histogram monitor entry to add support for the
                  total count and average response time attributes.
                  <br><br>
                </li>

                <li>
                  Added support for the LDAP external server, replica, replication server, and
                  replication summary monitor entry types.
                  <br><br>
                </li>

                <li>
                  Updated the monitor entry API so that information from any types of Directory
                  Server monitor entries which are not explicitly supported by the LDAP SDK may
                  still be accessed using the generic API.
                  <br><br>
                </li>

                <li>
                  Added a new API which may be used for parsing access and error log messages as
                  generated by the UnboundID Directory Server.
                  <br><br>
                </li>

                <li>
                  Added support for the replication repair request control, which may be used to
                  process an add, delete, modify, or modify DN operation which will not be
                  replicated to any other server.  This control is primarily intended for use in
                  manually repairing replication conflicts.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 0.9.8</h3>

              <p>
                The following changes were made between the 0.9.7 and 0.9.8 releases:
              </p>

              <ul>
                <li>
                  Fixed a bug that could prevent the LDAP SDK from returning a response to the
                  StartTLS extended request if the server certificate was not trusted.
                  <br><br>
                </li>

                <li>
                  Fixed a bug that could cause the connection pool implementation to leak a
                  connection when performing a background health check if that connection was
                  examined multiple times in the same health check sequence.
                  <br><br>
                </li>

                <li>
                  Fixed a bug in the <tt>LDAPConnectionPool.getRootDSE()</tt> method in which it
                  could inadvertently check out two connections when only one was required.  Both
                  connections were properly returned to the pool, but holding the unnecessary
                  connection could create an artificial shortage of available connections.
                  <br><br>
                </li>

                <li>
                  Fixed a problem that caused the name of the background thread used by the
                  internal <tt>LDAPConnectionReader</tt> class to be set to "Connection reader for
                  LDAPConnection(not connected)" even when the connection was established.  This
                  has been changed so that it will be "Connection reader for {host}:{port}" when
                  the connection is established, and "Connection reader for {host}:{port} (closed)"
                  when the connection has been closed.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>com.unboundid.util.FixedRateBarrier</tt> class which can be used
                  to help try to perform operations no faster than a specified rate.  The authrate,
                  modrate, and searchrate tools have been updated to include a new
                  "<tt>--ratePerSecond</tt>" argument that can be used to attempt to process
                  authentications, modifies, and searches at the specified rate.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>CompareRequest</tt> class to make the
                  <tt>setAssertionValue(ASN1OctetString)</tt> method public, since it can be useful
                  in code outside of the LDAP SDK itself.
                  <br><br>
                </li>

                <li>
                  Added an <tt>Attribute.getMatchingRule()</tt> method that can be used to get the
                  matching rule that will be used by default for matching operations involving that
                  attribute.
                  <br><br>
                </li>

                <li>
                  Added the ability to easily convert between <tt>Filter</tt> objects (which are
                  normal search filters) and <tt>MatchedValuesFilter</tt> objects (which are used
                  in the matched values request control).  Not all search filters are valid matched
                  values filters, so an attempt to convert a search filter using an AND, OR, or NOT
                  component, or using an extensible match component with the "dnAttributes" flag
                  set will throw an exception.
                  <br><br>
                </li>

                <li>
                  Message strings used by the LDAP SDK have been updated so that they use single
                  quotes rather than double quotes.  If the messages generated by the LDAP SDK
                  (especially those included in exceptions) are consumed by and embedded in
                  messages from another application, then single quotes are less likely to create
                  confusion or need escaping if anything tries to parse those messages.
                  <br><br>
                </li>

                <li>
                  Updated the output of the authrate, modrate, and searchrate tools so that a row
                  of dashes is displayed between the column headings and the data, which moderately
                  improves the appearance.  This will not be used when CSV-formatted output is
                  requested.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 0.9.7</h3>

              <p>
                The following changes were made between the 0.9.6 and 0.9.7 releases:
              </p>

              <ul>
                <li>
                  Further improved the performance of the LDIFReader for entries containing
                  multi-valued attributes.  The change introduced the 0.9.6 version was only
                  applicable for entries with an LDIF representation of at least 100 lines.  The
                  new implementation works for entries of any size and can help dramatically
                  improve read performance for smaller static groups, whereas the previous change
                  only worked for large groups.
                  <br><br>
                </li>

                <li>
                  Added a new <tt>com.unboundid.ldap.sdk.CompactEntry</tt> class that provides much
                  of the same functionality of the <tt>Entry</tt> class but in a manner that
                  requires much less memory.  This is particularly useful for cases in which it may
                  be necessary to store a large number of entries in memory.  For one test
                  involving typical user entries, CompactEntry has been found to require only about
                  25% as much memory as Entry.  For another test involving static groups with 20
                  members each, CompactEntry has been found to require only about 31% as much
                  memory as Entry.
                  <br>
                  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                  Note that some operations involving CompactEntry may not perform as well as with
                  the corresponding methods in the Entry class, so it is generally recommended that
                  CompactEntry only be used when it is necessary to store a large number of entries
                  in memory.  Further, CompactEntry objects are read-only and the API does not
                  expose any way to directly alter their contents.
                  <br><br>
                </li>

                <li>
                  Fixed a potential null pointer exception that could arise as a result of a race
                  condition when closing a connection.
                  <br><br>
                </li>

                <li>
                  Made a minor change to the <tt>com.unboundid.ldif.LDIFChangeRecord</tt> class so
                  that the <tt>processChange</tt> method now takes an <tt>LDAPInterface</tt>
                  argument rather than an <tt>LDAPConnection</tt>.  This change is completely
                  backward compatible, since <tt>LDAPConnection</tt> implements
                  <tt>LDAPInterface</tt>, but the new version makes it more convenient to use with
                  connection pools.
                  <br><br>
                </li>

                <li>
                  Added source code for a simple application that allows the UnboundID LDAP SDK for
                  Java to be used to communicate with an LDAP directory server on Android mobile
                  devices.  This application makes it possible to perform searches against an LDAP
                  directory server, and can parse user entries to make it possible to call or
                  e-mail a user found in the directory, show a map of their location, or add
                  information about that user to the device's local contacts.  More information
                  about this application can be found at
                  <a href="http://directorymanager.wordpress.com/2009/03/24/using-ldap-on-android/">http://directorymanager.wordpress.com/2009/03/24/using-ldap-on-android/</a>,
                  including a video demonstrating its use.
                  <br><br>
                </li>
              </ul>

              <h3>Version 0.9.6</h3>

              <p>
                The following changes were made between the 0.9.5 and 0.9.6 releases:
              </p>

              <ul>
                <li>
                  Added support for the LDAP intermediate response protocol op type as described in
                  RFC 3771.  Intermediate responses provide the ability for operations to return
                  multiple responses to a single request.  A new
                  <tt>IntermediateResponseListener</tt> interface has been added, and clients can
                  use the <tt>LDAPRequest.setIntermediateResponseListener</tt> method to indicate
                  that any intermediate response messages returned in response to that request
                  should be made available via that interface.  If no intermediate response
                  listener is defined for a request, then any intermediate response messages
                  returned in response to that request will be silently discarded (although a debug
                  message will be generated).
                  <br><br>
                </li>

                <li>
                  Fixed a problem in the <tt>LDIFReader</tt> class in which it did not properly
                  propagate the <tt>LDIFException</tt> that was thrown if the first line of an
                  LDIF record started with a space.
                  <br><br>
                </li>

                <li>
                  Fixed a potential problem in the searchrate and modrate tools in which the
                  auto-reconnect flag did not get properly set on the connections that they used.
                  Before this fix, if the connection to the server was lost for some reason, then
                  they would not make any attempt to re-establish the connection.
                  <br><br>
                </li>

                <li>
                  Added a new authrate tool as an example.  It can be used to measure
                  authentication performance, where each authentication consists of a search to
                  retrieve a user entry followed by a bind to verify the password for that user.
                  It supports simple authentication, as well as the CRAM-MD5, DIGEST-MD5, and PLAIN
                  SASL mechanisms.
                  <br><br>
                </li>

                <li>
                  Updated the <tt>CommandLineTool</tt> API to make it possible to include example
                  usages for tools that will be included whenever the usage information is
                  displayed.  This can make it easier to understand how a given tool might be used.
                  The example tools provided with the LDAP SDK have been updated to provide this
                  capability.
                  <br><br>
                </li>

                <li>
                  Updated LDAP connection pools to provide support for a maximum connection age.
                  If a maximum connection age is defined, then any connection which has been
                  established for a longer period than this will be closed and replaced with a new
                  connection.
                  <br><br>
                </li>

                <li>
                  Created a new <tt>LDAPConnectionStatistics</tt> class that can be used to provide
                  information about the processing performed by the LDAP SDK.  The connection
                  statistics can be retrieved using the
                  <tt>LDAPConnection.getConnectionStatistics</tt> method, and they include
                  information about the number of times the connection has been established and
                  closed, the number of times each type of request message has been sent, the
                  number of times each type of response message has been received, and the total
                  and average response times for those operations.  This feature was suggested by
                  Philip Peake.
                  <br><br>
                </li>

                <li>
                  Created a new <tt>LDAPConnectionPoolStatistics</tt> class that can be used to
                  provide information about the processing performed by the connection pool.  The
                  connection pool statistics can be retrieved using the
                  <tt>LDAPConnectionPool.getConnectionPoolStatistics()</tt> method, and they
                  include the number of connections currently available in the pool, the maximum
                  number of connections that may be maintained in the pool, the number of
                  successful and failed attempts to create connections, the number of connections
                  that have been closed as defunct, expired, or unneeded, the number of successful
                  and failed attempts to retrieve a connection, and the number of valid connections
                  released back to the pool.  This feature was suggested by Philip Peake.
                  <br><br>
                </li>

                <li>
                  Updated LDAP connection pools to provide support for connection health checking.
                  Health check implementations may be used to perform custom checks to determine
                  whether a connection is valid at any of the following times:
                  <ul>
                    <li>Whenever a new connection is created for use in the pool</li>
                    <li>Whenever a connection is checked out of the pool</li>
                    <li>Whenever a connection is released back to the pool</li>
                    <li>After an exception has been caught while processing an operation in the
                        pool</li>
                  </ul>
                  In addition, a background thread will be used to periodically invoke health
                  checks against all available connections.  The <tt>ServerSet</tt> API has been
                  updated to provide the ability to make use of a health check in the course of
                  creating new connections.  A health check implementation has been provided that
                  can be used to retrieve a specified entry from the directory server.  The ability
                  or inability to retrieve the entry, as well as the time required to do so, can be
                  taken into consideration.  This feature was suggested by Philip Peake.
                  <br><br>
                </li>

                <li>
                  Added a number of convenience methods to the DN and RDN class that make it easier
                  to interact with them using their string representations.  For example, there are
                  now methods for determining if a string represents a valid DN or RDN, if two
                  strings represent the same DN or RDN, to determine whether there is a
                  hierarchical relationship between two strings representing DNs, and to compare
                  two DNs or RDNs based on their string representations.  This feature was
                  suggested by Felix Gaehtgens.
                  <br><br>
                </li>

                <li>
                  Updated the LDIF reader to significantly improve performance when reading entries
                  containing attributes with a large number of values (e.g., large static groups).
                  In a single-threaded test case involving reading static group entries with 2000
                  members each, performance has been improved by over 360x (i.e., over 36,000%).
                  This problem was reported by Felix Gaehtgens.
                  <br><br>
                </li>
              </ul>

              <p></p>

              <h3>Version 0.9.5</h3>

              <p>
                This was the initial public release of the UnboundID LDAP SDK for Java.
              </p>

